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I. INTRODUCTION 



A. MOTIVATION 

In the last decade increasing complexity in computer communication systems have 
created a growing demand for formal techniques to specify, design, verify and test 
protocols. In order to have a clear understanding of the protocols, both for the protocol 
designer and implementor, it is essential to have a formal protocol specification. 

There are a large number of formal techniques available for modeling protocols. Most 
of these methods can be placed into one of the following general classifications [Ref. 1]: 
communicating finite state machines, Petri nets, programming languages and hybrids. 
Some models that have found most interest and chosen for standardization are ESTELLE, 
LOTOS and SDL. Each of these has its own pros and cons. 

Systems of communicating machines (SCM) is also a formally defined model for 
specification, analysis and testing of protocols that is defined in [Ref. 2]. This model uses 
a combination of finite state machines and variables, which may be local to a single 
machine or shared by two or more machines, so it can be classified in the models known as 
“extended finite-state machines.” The main goal of the SCM model was to improve the 
well-known simpler Communicating Finite-State Machines (CFSM) model. The SCM 
model has been used to specify and analyze several protocols [Ref. 3], [Ref. 4], [Ref. 5], 
[Ref. 6], [Ref. 7], Analysis of protocols specified with this model can be executed using a 
method called system state analysis. This analysis is similar to global reachability analysis, 
but generates a subset of all reachable states. Sometimes this subset is sufficient to verify 
the protocol. In some cases system state analysis is not sufficient for protocol analysis, and 
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global analysis is needed. However, it is possible to automate the system state analysis and 
global analysis based on the SCM model. 

Several tools exist for the design and verification of protocols. These tools are very 
important for increasing the usefulness of the formal description techniques (FDT). 

While there is no “perfect” formal specification technique, there is still room for more 
work to understand the advantages of different formal models and develop better tools to 
increase the utilization of these models. 

B. SCOPE OF THE THESIS 

The goal of the thesis is to present a software tool, called mushroom that automates 
the reachability analysis of protocols formally specified using CFSM and SCM models. 
The name mushroom was chosen as a symbol of something that starts out relatively small 
(specification) and gets much bigger quickly (analysis). An earlier version of the program 
[Ref. 8] was capable of generating reachability analysis for the protocols consisting of only 
two machines. This thesis expands on this earlier work and is capable of analyzing 
protocols that has any number of machines from two to eight. In addition, the user interface 
for the program has also been improved. The program was tested against results of several 
previous works and has confirmed their results. It is also believed that this program will 
help to solve some problems concerning the SCM model. 

C. ORGANIZATION 

The thesis has six chapters. Chapter II reviews the Communicating Finite State 
Machines (CFSM) and Systems of Communicating Machines (SCM) models. In Chapter 
III, a program called simple mushroom, which automates the global reachability analysis 
based on CFSM model, is described. Chapter IV describes a program that automates the 
system state analysis (smart mushroom), or the full global analysis (big mushroom) for 
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a protocol specified formally using the SCM model. In Chapter V, some examples of the 
use of the program are given. Chapter VI concludes the thesis with a research review and 
suggestions for future work. 
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II. BACKGROUND OF MODELS 



A. COMMUNICATING FINITE STATE MACHINES 

Communicating finite state machine (CFSM) model is a simple model and perhaps the 
earliest FDT. In this model, each machine in the network is modeled as a finite automaton 
or finite state machine (FSM), with communication channels between pairs of machines 
modeled as one-way, infinite length FIFO queues. There is a great deal of literature on this 
model [Ref. 9] [Ref. 10] [Ref. 11]. The model is defined for an arbitrary number of 
machines; however, for simplicity, a two machine model (shown in Figure 1) will be 
presented here. 




Figure 1: CFSM, 2 machine model representation 



1. Model Definition 

This section defines the CFSM model [Ref. 12] and provides a simple protocol 
specification and analysis to clarify the definition. 

A communicating machine M is a finite, directed labeled graph with two types of 
edges, sending and receiving. A sending (receiving) edge is labeled ‘-g’ (‘+g’) for some 
message g, taken from a finite set G of messages. One of the nodes in M is identified as the 
initial node, and each node is reachable from the initial node by some directed path. A node 
in M whose outgoing edges are all sending (receiving) edges is a sending ( receiving ) node; 
otherwise the node is a mixed node. If the outgoing edges of each node in M have distinct 
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labels, then M is deterministic, otherwise M is nondeterministic. The nodes of M are often 
referred to as states', these two terms will be used interchangeably throughout this thesis. 

Let M and N be two communicating machines having the same set G of messages; 
the pair (M,N) is a network. A global state of this network is a four tuple [ m,c m ,n,c n ], where 
m and n are nodes (states) from M and N, and c m and c n are strings from the set G of 
messages. Intuitively, the global state [ m,c m ,n,c n ] means that the machines M and N have 
reached states m and n, and the communication channels contain the strings c m and c n of 
messages, where c m denotes the messages sent from M to N in channel Cm, and c n denotes 
the messages sent from N to M in channel Cjy. In the case of say k number of machines 
where k > 2 the global state can be represented as 

[m 1 ,qi2,qi3,..., m 2,q2bQ23’- ’ m 3’ c l31’ ( l32-- m hqklAk2< A where m t s are the nodes of 

machines and q,j contains the messages sent from Mi to My. Subscripts i and j ranges 
from 1 ..k and i * j. 

The initial global state of ( M,N) is [mQ,E,nQ,E], where mg and ng are the initial 
states of M and N, and E is the empty string. 

The network progresses as transitions are taken in either M or N. Each transition 
consists of a state change in one of the machines, and either the addition of a message to 
the end of one channel (sending transition) or the deletion of a message from the front of 
one channel (receiving transition). 

A sending transition in M (AO adds a message to the end of channel Cm (C^); a 
receiving transition in M (AO removes a message from the front of channel C ^ {Cm). 

Suppose +g is a receiving transition from state i to j in machine M {N). The 
transition can be executed if and only if M (/V) is in state i and the message g is at the front 
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of the channel C ^ (Cm). The execution takes zero time. After its execution, machine M (N) 
is in state j , and the message# has been removed from the channel C N ( c m)- 

Similarly, suppose -g is a sending transition from state / to j in M (N). The 
transition can be executed if and only if M (N) is in state /. Afterwards, g appears on the end 
of the outgoing channel, and the machine has transitioned to state j. 

Suppose Sj= [ m,Ci,n,Cj ] is a global state of (M,N). State S2follows sj if there is a 
transition (in M or AO which can be executed in S] if there is a sequence of states j, . 
•> s i+p suc h that S( follows S],Si + ] follows s,-, and so on, and ^ follows Si +p . A state s is 
reachable if it is reachable from the initial state. 

The communication of a network(M,N) is bounded if, for every reachable state 
[m,c m ,n,c n \ there is a nonnegative integer k such that \c m \ < k and \c n \ < k, where Id denotes 
the number of messages in channel C. 

A reachability graph of a network (M,N) is a directed graph in which the nodes 
correspond to the reachable global states of (M,N), and the edges represent the follows 
function. That is, there is an edge from state s,- to state Sj if and only if sj follows s,\ The 
edges are labeled with the transitions which they represent. This reachability graph can be 
generated by starting with the initial state, and adding the states which follow it, connecting 
them to it with edges; and repeating for each new state generated. 

The next two definitions are of errors that may occur in a communication 
protocol, which are detectable by analysis. 

A global state [ m,c m ,n,c n ] is a deadlock state if both m and n are receiving nodes, 

and c m =c n =E, where E denotes the empty string. 

A global state [m,c m ,n,c„l is an unspecified reception state if one of the following 
two conditions is true: 
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(1) m is a receiving state, the message at the head of channel c n is g, and none of 
m ' s outgoing transitions is labeled ‘+g.’ 

(2) n is a receiving state, the message at the head of channel c m is g, and none of 
n's outgoing transitions is labeled ‘+g.’ 

These error conditions can be identified by generating the reachability graph for 
a network, and inspecting all states as they are generated. 

In the next section, an example protocol is specified and analyzed using the 
CFSM model. 

2. An Example of Protocol Specification and Analysis Using CFSM 

CFSM specification of an imaginary ring-like network consisting of three 
communicating machines is shown in Figure 2. 



Machine 1 Machine 2 




Figure 2: CFSM specification for the example protocol 



It is assumed that the protocol is used at the data link layer, making use of the 
services provided by the physical layer. 
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Edges are labeled such that the characters following the *-/+’ shows the messages 
and the numbers represent the destination machine. Each machine sends one message to the 
next machine and receives a message from the previous machine in clockwise direction 
forming a ring. Ignore the dashed edges and nodes for the time being. The initial state of 
each machine is 1; thus the initial global state is [1,E,E,1,E,E,1,E,E]. 

The reachability analysis can be done by a simple procedure. Starting with the 
initial global state only one transition is possible, the ‘-DO’ of the machine 1 from state 1. 
This leads to global state [2,D0,E,1,E,E,1,E,E]. We can continue the analysis in the same 
manner detecting the possible transitions from this new global state. The complete 
reachability analysis is given in Figure 3 consisting of a total of six states. 




Figure 3: Reachability analysis of the example protocol 
In this sample protocol, there are no deadlocks or unspecified receptions. If the 
dashed edges and states in Figure 2 are added to the specification, the reachability analysis 
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shown in Figure 4 would be achieved. In this analysis there is one deadlock condition and 
one unspecified reception. In global state [3,E,E,3,E,E,1,E,E], all the channels are empty 
and all the nodes are receiving nodes satisfying the deadlock condition. In global state 
[2,E,E,1,E,E,3,D4,E], mac [ 1 j ne j an( j mac hj ne 2 are in receiving states but none of the 
outgoing transitions are labeled l +D4', satisfying an unspecified reception condition. 



[1,E,E,1,E,E,1,E,E] — 

-DO, 2 

[2,D0,E, 1 ,E,E, 1 ,E,E] 

| +D0,1 

[2,E,E,2,E,E, 1 ,E,E] 

| -Dl,3 

[2,E,E, 1 ,E,D 1 , 1 ,E,E] 

| +D1.2 

[2,E,E, 1 ,E,E,2,E,E] 

-D4,l 

J -D2,l 

[2,E,E, 1 ,E,E, 1 ,D2,E] 

+D2,3 



[3,D3,E, 1 ,E,E,1 ,E,E] 
| +D3,1 

[ 3,E,E,3,E,E, 1 ,E,E] 

Deadlock 



[2,E,E,1,E,E,3,D4,E] 

Unspecified 

Reception 



Figure 4: Reachability analysis including errors 

3. Summary 

The CFSM model is simple and easy to understand. However, as the protocols 
become more complex, this model becomes difficult to use due to a combinatorial 
explosion of states. The analysis might not terminate if the queue length is unbounded. The 
number of states in the reachability graph will be unmanageably large for such complex 
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protocols even if the queue length is bounded. A computer analysis might eventually 
terminate, but still the CPU time would be days even months, obviously impractical. 

Another disadvantage is that as the protocols become more complex, the 
specification of the protocol can be so large, consisting of many states and transitions, that 
it makes it very hard to understand if it is the intended specification. Several examples are 
given in Chapter V that show the largeness of analysis for some protocols. 

B. SYSTEMS OF COMMUNICATING MACHINES 

In this section the SCM model is described. First the model definition is given, then 
the algorithm for generating the system state analysis is described. Finally the model is used 
for specification and analysis of an example protocol to illustrate the important aspects of 
the model. 

1. Model Definition 

A system of communicating machines is an ordered pair C = (M,V), where 

M={m,,m 2 ,...,m n } 

is a finite set of machines, and 

V={v 1 ,v 2 ,...,v k } 

is a finite set of shared variables, with two designated subsets /?, and W, specified 
for each machine m^ The subset /? ( of V is called the set of read access variables for 
machine m t , and the subset W t the set of write access variables for m t . 

Each machine m L e M is defined by a tuple where 

(1) 5, is a finite set of states; 

(2) s e 5, is a designated state called the initial state of m L ; 

(3) L t is a finite set of local variables; 
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(4) N ) is a finite set of names, each of which is associated with a unique pair (p,a ), 
where p is a predicate on the variables Lj u and a is an action on the variables of L t u 
Ri u W,-. Specifically, an action is a partial function 

a \ Li X Ri — > L { X 

from the values of the local variables and read access variables to the values of 
the local variables and write access variables. 

(5) X t -: Si X » Si is a transition function, which is a partial function from the 
states and names of n%i to the states of m; . 

Machines model the entities, which in a protocol system are processes and 
channels. The shared variables are the means of communication between the machines. 
Intuitively, /?,• and Vf,- are the subsets of V to which m/ has read and write access, 
respectively. A machine is allowed to make a transition from one state to another when the 
predicate associated with the name for that transition is true. Upon taking the transition, the 
action associated with that name is executed. The action changes the values of local and/or 
shared variables, thus allowing other predicates to become true. 

The sets of local and shared variables specify a name and range for each. In most 
cases, the range will be a finite or countable set of values. For proper operation, the initial 
values of some or all of the variables should be specified. 

A system state tuple is a tuple of all machine states. That is, if ( M,V) is a system 
of n communicating machines, and S;, for 1< i < n, is the state of machine m,-, then the n- 
tuple (sj,S2,...,s n ) is the system state tuple of ( M,V ). A system state is a system state tuple, 
plus the outgoing transitions which are enabled. Thus two system states are equal if every 
machine is in the same state, and the same outgoing transitions are enabled. 

The global state of a system consists of the system state tuple, plus the values of 
all variables, both local and shared. It may be written as a larger tuple, containing the 
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system state tuple with the values of the variables. The initial global state is the initial 
system state tuple, with the additional requirement that all variables have their initial 
values. The initial system state is the system state such that every machine is in its initial 
state, and the outgoing transitions are the same as in the initial global state. 

A global state corresponds to a system state if every machine is in the same state, 
and the same outgoing transitions are enabled. Clearly, more than one global state may 
correspond to the same system state. 

Let X ( Sj,n ) = 52 be a transition which is defined on machine m,-. Transition x is 
enabled if the enabling predicate p, associated with name n, is true. Transition x may be 
enabled whenever m ,• is in state s- t and the predicate p is true (enabled). The execution of x 
is an atomic action, in which both the state change and the action a associated with n occur 
simultaneously. 

It is assumed that if a transition is enabled indefinitely, then it will eventually 
occur. This is an assumption of fairness, and is needed for the proofs of certain properties. 

2. Algorithm: System State Analysis 

The process of generating the set of all system states reachable from the initial 
state is called system state analysis. This analysis constructs a graph, whose nodes are the 
reachable system states, and whose arcs indicate the transitions leading from each system 
state to another. This graph may be generated by a mechanical procedure which consists of 
the following three steps [Ref. 1]: 

1. Set each machine to its initial state, and all variables to their initial values. The 
initial set of reachable system states consists of only the initial system state; the 
initial graph is a single node representing this state. 

2. From the current system state vector and variable values, determine which 
transitions are enabled. For each of these transitions, determine the system state 
which results from its execution. If this state (with the same enabled transitions) 
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has already been generated, then draw an arc from the current state to it, labelling 
the arc with the transition name. Otherwise, add the new system state to the graph, 
draw an arc from the current state to it, and label the arc with the name of the 
transition. 

3. For each new state generated in step 2, repeat step 2. Continue until step 2 has 
been repeated for each system state thus generated, and no more new states are 
generated. 

3. An Example of Protocol Specification and Analysis Using SCM 

The specification of an imaginary ring-like network consisting of three machines 
similar to the CFSM example in the previous section is given in Figure 5. The specification 
consists of the finite state machines, the local and shared variables, and the predicate action 
table, shown in Table 1. The local variables are: in_buffl , in_buff2, in_buff3, out buffl, 
out_buff2, and out_bujf3 and shown under the corresponding FSMs with their initial 
values. The shared variables are: CHAN1, CHAN2, and CHAN3 and shown between the 
two machines. The initial state of each machine is 0, with the shared variables and local 
variables are empty except the local variable out_buffl, which has data in it. E in the 
predicate-action table shows the empty string. A character D will be used to represent the 
data in the out_buffl local variable. Other notations in the predicate-action table are 
intuitive. 

Each machine sends one message to the next machine and receives a message 
from the previous machine in clockwise direction forming a ring. The global reachability 
analysis, shown in Figure 6, has 12 states. The system state analysis, shown in Figure 7, has 
only 6 states. The subscripts in Figure 7 are used so that distinct system states having the 
same tuple (but not the outgoing transitions) may easily distinguished. 
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Ml 



M2 




rev dalaJ 



InbufTl : E 
oul buffi : D 



CHAN3 



CHAN! 



M3 




out burn : E 




and data 2 



inbuTO : E 
out buff2 : E 



CHAN2 



Figure 5: FSMs and variables for the example protocol 



TABLE 1: PREDICATE-ACTION TABLE FOR THE EXAMPLE PROTOCOL 



Transition 


Enabling Predicate 


Action 


snd_datal 


CHAN1 = E A 
out_buffl *■ E 


CHAN1 4- out_buffl 
out_buffl 4- E 


rcv_data3 


CHAN3 * E 


in.buffl 4- CHAN3 
out_buffl 4- in_buffl 

CHAN3 4- E 


snd_data2 


CHAN2 = E A 
out_buff2 ■*- E 


CHAN2 4- out_buff2 
out_buff2 4- E 


rcv_datal 


CHAN1 * E 


in_buff2 4- CHAN1 
out_buff2 4- in_buff2 

CHAN1 4 - E 


snd_data3 


CHAN3= E A 
out_bufB *■ E 


CHAN3 4- out_buff3 
out_bufO 4- E 


rcv_data2 


CHAN2 * E 


in_buff3 4- CHAN2 
out_buff3 4— in_bufD 
CHAN2 4- E 
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[m 1 ,in_buffl ,out_buff 1 ,m2,in J>uff2,out J>uff2,m3,in_bufn,out_buff3,CHAN 1 ,CH AN2.CH AN3] 

[0,E,D,0,E,E,0,E,E,E,E,E] 

| snd_datal 

[ 1 ,E,E,0,E,E,0,E,E f D,E,E] 

| rcv_daial 

[ 1 ,E,E, 1 , D , D , 0 , E , E , E , E , E ] 

1 snd_data2 

[ 1 ,E,E,0,D,E,0,E,E,E,D,E] 

1 rcv_data2 

[ 1 ,E,E,0,D,E, 1 .D.D.E.E.E] 

I snd_data3 

[ 1 ,E,E,0,D,E,0,D,E,E,E,D] 

| rcv_data3 

[0,D,D,0,D,E,0,D,E,E,E,E]^ 

| snd_datal 

[ 1 ,D,E,0,D,E,0,D,E,D,E,E] 

I rcv_datal 

[ 1 ,D,E,1 .D.D.D.D.E.E.E.E] 

v snd_data2 rcv_data3 

[ 1 ,D,E,0,D,E,0,D,E,E,D,E] 

, r rcv_data2 

[ 1 , D.E.O.D.E.l .D.D.E.E.E] 

| snd_data3 

[ 1 ,D,E,0,D,E,0,D,E,E,E,D] 



Figure 6: Global reachability analysis for the example protocol 



Thus, for this protocol we have 6 system states, and 12 global states. For more 
complex protocols, the difference between these numbers can be much more. For example, 
a sliding window protocol with a window size of 8 the system state analysis was shown to 
generate 165 states, while the full global analysis generated 11880 states [Ref. 1]. 
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[ 0 ,0 , 0 H 1 

I ° 

| snd_dalal 

( i »o , o ] 0 

| rcv_datal 

snd dau2 . - 

1 “ rcv_data3 

[1,0,0], 

| rcv_dala2 

[1 ,0,1 ] 0 

| snd_daia3 

[ 1 ,0,0]- 

2 

Figure 7: System state analysis for the example protocol 

4. Summary 

The SCM model has desirable properties which overcome some of the 
disadvantages of the CFSM model. One of the advantages of the SCM model is that it 
greatly reduces the number of state explosion through the use of system state analysis. In 
some cases, however, the system state analysis is not sufficient for protocol analysis, and 
some other method - such as global analysis - must be done. A problem with the system 
state analysis is the loops in the state machines which may cause an insufficient analysis. 
This problem is illustrated with an example in Chapter V. 

Another advantage of SCM model is that it allows communication between 
machines in nonsequential manner, unlike a FIFO queue representation in the CFSM 
model. The SCM model specification is also easier to understand than the CFSM model for 
more complex protocols. 
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III. SIMPLE MUSHROOM: A PROGRAM FOR AUTOMATING CFSM 

REACHABILITY ANALYSIS 



This Chapter and the next Chapter will describe a program called mushroom, which 
was written in the Ada programming language. Mushroom automates the reachability 
analysis of protocols specified by the CFSM and the SCM models. The Mushroom program 
was first developed as two separate programs. The first program called simple mushroom, 
automates the CFSM analysis. The second program automates either system state analysis 
(smart mushroom), or the full global analysis (big mushroom) for a protocol specified 
formally by the SCM model. The General structure of the Mushroom program is shown in 
Figure 8. 




Figure 8: General structure of Mushroom program 
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The Simple Mushroom program, is described in this chapter in four sections: program 
structure, inputs to the program, generating the reachability analysis, and outputs of the 
program. 



A. PROGRAM STRUCTURE 

The Simple Mushroom program consists of Ada subprograms (procedures and 
functions), which are separate compilation units and subunits of compilation units. Related 
subprograms are also gathered in the same files. The compilation units of the program are 
shown in Table 2. Procedure main is the parent unit. All of the subprograms are the 
subunits of procedure main. [Ref. 13] 



TABLE 2: SIMPLE MUSHROOM PROGRAM COMPILATION UNITS 



Compilation Unit 


Description 


File name 


main (procedure) 


This is the parent unit. Contains 
the main data structures, global 
variables, and the driver. 


tmain.a 


load_machine_array 

(procedure) 


Builds the adjacency lists from 
FSMs. 


tinput.a 


read_in_file (procedure) 


Parses the input FSM text file. 


tinput.a 


build_Gstate_graph 

(procedure) 


Generates the reachability graph. 


treachability.a 


IsEqual (function) 


Compares two global states for 
equality. 


treachability.a 


hash (function) 


Generates an index number 
according to the hashing function. 


treachability.a 


clear_pointers (procedure) 


Deallocates the dynamic memory 
space for another analysis. 


treachability.a 


find_tuple (function) 


Searches the reachability graph 
for the equivalent tuples using 
external (open) hashing. 


tsearch.a 
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Compilation Unit 


Description 


File Name 


clear_hash_array 

(procedure) 


Clears the hash array and 
deallocates the memory. 


tsearch.a 


Print Queue (procedure) 


Prints the FIFO queues. 


toutput.a 


output_Gstate_transition 

(procedure) 


Outputs the transition name. 


toutput.a 


ou tpu t_G state_node 
(procedure) 


Outputs the machine states, 
unspecified receptions, and 
the states with deadlocks. 


toutput.a 


output_machine_arrays 

(procedure) 


Outputs the FSM description in 
a tabular format. 


toutput.a 


output_unexecuted_transi- 
tions (procedure) 


Outputs the unexecuted transitions. 


toutput.a 


create_output_file 

(procedure) 


Creates an output file for storing 
the analysis results. 


toutput.a 


output_analysis (procedure) 


Driver for the output subprograms. 


toutput.a 


system_call (procedure) 


Interface procedure for Unix 
system calls via C. 


tsystem.a 


message_queues 

(package) 


Implements the queue operations 
for the FIFO communication 
channels. 


tqueues.a 


pointer_queues 
(generic package) 


Implements the queue operations 
for the pointer queue that stores the 
globals tuples temporarily. 


tqueues_2.a 
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The method of splitting the program into separate compilation units has permitted a 



hierarchical program development. 



B. INPUT 

The CFSM specification of a protocol consists of only FSMs of the communicating 
machines. In the program, FSMs are represented with a text file. The user enters the 
directed graphs as a text file using some reserved words, numbers, and characters 
representing the machines, states and the transitions. The list of reserved words and the 
syntax for the FSM text description are shown in Figure 9 in Backus-Naur Form (BNF). 

reserved_word ::= start 

I number_of_machines 
I machine 
I state 
I trans 

I initial_state 
I finish 

number_of_machines <machine_number> 
machine 1 I <machine_number> 
state <state_number> 

trans { _ }<message> <next_state> <next_machine> 

initial state <state_number> <state_number> [<state_number>] [<state_number>] 
[<state_number>] [<state_number>] [<state_number>] [<state_number>] 
<machine_number> ::= 2I3I4I5I6I7I8 

<state_number> ::= OI2I31 150 

f <letter> 'irr<letter> 1 1 f f<letter> -in 
<message> ::= \ <digit> J L\ <digit> J J L \<digit> J J 

<next_state> ::= <state_number> 

<next_machine> ::= II <machine_number> 

<letter> ::= albl...lzlAIBI...IZ 
<digit> ::= 01 1 12I3I4I5I6I7I8I9 

Figure 9: Syntax for the text description of FSM 
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As can be seen from Figure 9, the maximum number of machines allowed is eight, and 
the number of states for each machine can be from 0 to 50. Transition names must be at 
most three characters long and may be any combination of letters or digits. These 
constraints can be relaxed with slight modifications to the program, if necessary. 

The input file for the example protocol in Chapter II for the CFSM model is shown in 
Figure 10. For example, “trans -D3 3 2” represents a transition from state 1 to state 3 (first 
number) in machine 1 sending sign) the message “D3” to machine 2. “Initial_state 1 1 
1” means that the initial states of machine 1, machine 2, and machine 3 are state 1. 



start 

number_of_machines 3 
machine 1 
state 1 

trans -D3 3 2 
trans -DO 2 2 
state 2 

trans +D2 1 3 
machine 2 
state 1 

trans +D3 3 1 
trans +D0 2 1 
state 2 

trans -D1 1 3 
machine 3 
state 1 

trans +D2 2 2 
state 2 

trans -D4 3 1 
trans -D2 1 1 
initial_statc 1 1 1 
finish 

Figure 10: Text file description of the FSM 



First, this file is parsed by read_in_file procedure and tokens are generated. Then, 
Load_machine_array procedure constructs an adjacency list which represents the FSMs. 
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The data structure for the adjacency list is shown below: 



type cfsm_transition_type is (s,r,u); 
type visit_type is (yes,no); 
type state_type is range 0..50; 
type next_machine_type is range 1 ..8: 
type machine_array_record_type; 
type Slink_tupe is access machine_anay_record_type; 
type mac h i ne_arra y _reco rd_type is 
record 

transition : cfsm_transition_type := u; 

message : message_queue.message_queue_type; 

next_Mstate : state_type := 0; 

other_machine : next_machine_type := 1; 

visited : visit_type := no; 

Slink : Slink_type := null; 

end record; 

type machine_array_type is array(state_type range 0..50) of Slink_type; 

type system_array_type is array(next_machine_type range 1..8) of machine_array_type; 



The adjacency list for the example protocol is depicted in Figure 12. This adjacency 
list is used for constructing the global reachability graph. The adjacency list contains all the 
necessary information for generating the global reachability graph. 

The user also provides the name of the text input file and a file name for storing the 
analysis results. Input file name must end with “.fsm” extension to prevent confusion. The 
output file name must be no more than 20 characters long. 



C. REACHABILITY ANALYSIS 

After reading the input file the program starts generating the global reachability graph. 
The program uses the adjacency list and the initial state to construct the global reachability 
graph. Starting with the initial state, the new states are added and linked to the graph 
dynamically. The algorithm to construct the global reachability graph is given in Figure 1 3. 

During the graph construction, the program also detects the global states with 
deadlocks and unspecified receptions. The program also finds the maximum message 
queue size and channel overflows. Analysis results are stored in the output file in parallel 
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Figure 12: Adjacency list for the example ring protocol in Chapter II 
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with the graph construction. This prevents the traversal of the entire graph one more time 
at the end of the program and decreases the run time. 



loop ( main loop) 

for index 1 in I .. total_number_of_machines loop 
place _holder(indexl ) ;= machine _ar ray ( indexl ) (M _state(indexl )) 
while ( place _holder( index) /= null) loop 
loop 

if (place Jiolder (indexl ) .transition = s) then 
Enqueue the message into the corresponding message queue 
search the graph for this new global state tuple 
if not found then create a new node and link to the graph 
Enqueue this new node to the pointer _queue 
else link the transition to found global state tuple 
else 

ifiplace _holder( indexl ). transition) = r and at least one of the message queues for 
this machine is not empty then 
find this message queue and Dequeue 
search the graph for this new global state tuple 
if not found then create a new node and link to the graph 
Enqueue this new node to the pointer _queue 
else link the transition to found global state tuple 
end if; 

place _holder( indexl ) := place Jiolder( indexl). Slink 
exit 

end loop 
end loop 
end loop 

if pointer _queue empty then 
exit 
else 

Dequeue pointer queue and update M_state for this new node 
end if 

end loop (main loop) 

Figure 13: Algorithm for generating global reachability graph for CFSM 



One of the most time consuming procedures is the search algorithm for detecting if a 
node was previously created. The previous version of the program [Ref. 8] used a depth 
first search / breadth first search in a recursive manner. In this program, the search is made 
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more efficient using a hashing algorithm. The hash function is obtained from the machine 
states of the global tuple which has provided an efficient mapping. Therefore, the 
complexity of the search algorithm is 0( 1) when the hash function generates a distinct 
index (no collision) and 0(n ) when the same index is generated, where n is the number of 
hash collisions for that state. In many sample runs of the program, the complexity was 0(1) 
for about 30% of the global states, and 3 nodes had to be traversed on the average for 70% 
of the global states. The reachability analysis is limited by the storage capacity of the 
computer. The run time is also another factor that must be considered. The largest analysis 
carried out by the program thus far has generated about 160,000 states in 12 hours for a six 
machine protocol specification. Some alternative methods for improving the efficiency of 
the program and analysis size using other search techniques are discussed in Chapter VI. 

The structure of a global node is shown in Figure 14. The maximum number of 
outgoing transitions is limited to 7, which can be increased if needed. Also, a maximum 
channel capacity of 6 messages is introduced to ensure that the analysis eventually stops. 

D. OUTPUT 

The program stores the analysis results in a file named by the user during the 
reachability graph construction. This file contains the specification in a tabular format, 
reachability graph and the results of the analysis consisting of the number of states 
generated, number of states analyzed, number of deadlocks, number of unspecified 
receptions, maximum message queue size and number of channel overflows. Global states 
with deadlocks and unspecified receptions are also marked in the reachability graph. The 
output file also lists the unexecuted transitions. A menu is displayed at the end of the 
analysis. From this menu the user has the option of displaying or printing the results or 
continuing the program for another analysis. 
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If the analysis generates more than 2000 states, the program gives an interim summary 
of the analysis and asks the user if they would like to continue. If the user wishes to 
continue, analysis proceeds in steps of 1000 states until the analysis ends or the user 
terminates the analysis (as long as memory is available). For analyzing large protocols, the 
number of states between these “stops” can be made larger (for example, increments of 
5000 or 10000). The program output for the example protocol in Chapter II is given in 
Figure 15. 



Sy stem_sta te_n umber 


GTUPLE 


Machine_state 


1 


2 


3 2 


t 5 


6 


7 


8 
















queue_num 1,1 




queuenum 1,2 








queuejium 8,8 




LINK 


i 


Gtransltion 




Gmessace 




Next machine 




hew node 




Glink 




2 












7 







Figure 14: Global state structure with outgoing transitions 
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REACHABILITY ANALYSIS of : ring. fa* 
SPECIFICATION 



Machina 1 Stata Tranaitiona 



rroa | To | othar machina | Tranaition 



1 | 2 | 2 | a dO 

1 | 3 | 2 | a d3 

2 | 1 | 3 | r d2 



Ma china 2 Stata Tranaitiona 



From | To | othar machina | Tranaition 



1 | 2 | 1 | r dO 

1 I 3 I 1 | r d3 

2 | 1 | 3 | a dl 



Machina 3 Stata Tranaitiona 



rroa | To | othar machina | Tranaition 



1 | 2 | 2 | r dl 

2 | 1 | 1 | a d2 

2|3| 1 | a d4 



REACHABILITY GRAPH 



1 


[ i,t,z, 


- 1, 


1, E, 1, E, E] 






-dO 


2 


[ 2,dO,E,l,E,E,l,l,E] 


2 




-d3 


2 


[ 3, d3, 1,1, 1,1, 1,1,1] 


3 


2 


[ 2 , dO , 


I, 


1,1, 1,1, 1,1] 






♦dO 


1 


[ 2, E, 1,2, 1,1, 1,1,1] 


4 



3 ( 3,d3,E,l,E,E,l,E,E] 

+d3 1 [ 3,E,E,3,E,E,1,E,E] 5 

4 [ 2,E,E,2,E,E,1,E,E] 

-dl 3 [ 2,E,E, l,E,dl,l,E,E] 6 

5 [3, E, E, 3, E, E, 1, E, E] **********DEADLOCK condition*** 1 

6 [ 2,E,l,l,E,dl, 1, E, E] 

♦dl 2 [ 2, 1,1, 1,1, 1,2, 1,1] 7 

7 [ 2,1,1, 1,1, Z, 2, 1,1] 

-d2 1 [ 2,1,1, 1, £,£, l,d2,l] 8 

-d4 1 [ 2, 1,1, 1,1, 1,3, d4, E ] 9 

8 [ 2,1, 1, l,I,I,l,d2,E] 

+d2 3 [ 1,1, 1,1, 1,1, 1,1,1] 1 

9 [2, 1, 1, 1, 1, 1, 3,d4, 1) **********unapacif iad Ra caption 1 

SUMMARY Or REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Total nuakar of atataa ganaratad : 9 
Numbar of atataa analyzad : 9 
N unbar of daadlocka : 1 
Numbar of unapacifiad racaptiona : 1 

Maxima maaaaga quaua aiza : 1 

Channal ovarflow -.NONE 

UNEXECUTED TRANSITIONS 
♦****NONE***** 



Figure 15: Program output for the example ring protocol 
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IV. SMART AND BIG MUSHROOM: A PROGRAM FOR AUTOMATING SCM 

REACHABILITY ANALYSIS 



In this Chapter, programs that automate either system state analysis (smart 
mushroom), or the full global analysis (big mushroom) for a protocol specified by SCM 
are described. The program is described in four sections: general program structure, inputs 
to the program, generating the reachability graph, and outputs of the program. 

A. PROGRAM STRUCTURE 

Program structure of Smart Mushroom and Big Mushroom are similar to the structure 
of Simple Mushroom. The SCM model specification is more complicated than the CFSM 
specification, but this complexity in the specification brings some advantages to the 
analysis as mentioned in Chapter II. A protocol specified by the SCM model consists of 
FSMs, variable definitions, and predicate-action table, rather than just the FSMs as in 
CFSM model. 

FSMs are entered into the program in the same manner as in Simple Mushroom 
program using a text file. The variable definitions and predicate-action table must also be 

entered into the program. The user enters these parts by completing Ada packages 1 and 
subprograms using the templates provided. 

The compilation units for the program are shown in Table 3. The user has access to the 
last four packages/subprograms. Once the user completes these subprograms using the 
templates and compiles them with the other compilation units, the analysis of the specified 

1. Ada packages are one of the four forms of program unit, of which programs can be composed. 

The other forms are subprograms, task units, and generic units. Packages allow the specification of 
groups of logically related entities. In their simplest form packages specify pools of common object 
and type declarations. [Ref. 1 3] 
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protocol can be performed. Construction of the specification in the form of Ada packages 
and subprograms is explained in the next section. 

TABLE 3: SMART AND BIG MUSHROOM PROGRAM COMPILATION UNITS 



Compilation Unit 


Description 


File name 


Main (procedure) 


This is the parent unit. Contains the 
main data structures, global vari- 
ables, and the driver. 


smain.a 


load_m achi ne_array 
(procedure) 


Builds the adjacency lists from 
FSMs. 


sinput.a 


read_in_file (procedure) 


Parses the input FSM text file. 


sinput.a 


bui ld_G s tate_graph 
(procedure) 


Generates the global reachability 
graph. 


sg_reachability.a 


build_system_state_graph 

(procedure) 


Generates the system reachability 
graph. 


sg_reachability.a 


hash (function) 


Generates an index number 
according to the hashing function. 


sg_reachability.a 


clear_pointers (procedure) 


Deallocates the dynamic memory 
space for another analysis. 


sg_reachability.a 


search_for_Gtuple 

(function) 


Searches the reachability graph 
for the equivalent global tuples 
using hashing. 


sg_search.a 


clear_hash_array 

(procedure) 


Clears the hash array and deallocates 
the memory for global reachability 
analysis. 


sg_search.a 


search_for_Stuple 

(function) 


Searchs the reachability graph 
for the equivalent system tuples 
using hashing. 


sg_search.a 


clear_hs_hash_array 

(procedure) 


clears the hash array and deallocates 
the memory for system state 
analysis. 


sg_search.a 


output_Gstate_node 

(procedure) 


Outputs the machine states, and 
states with deadlock for global 
reachability analysis. 


sg_output.a 
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Compilation Unit 


Description 


File Name 


output_sys_node 

(procedure) 


Outputs machine states, and 
states with deadlock for system 
state analysis. 


sg_output.a 


output_Gstate_transition 

(procedure) 


Outputs the transition name for 
global reachability analysis. 


sg_output.a 


output_sys_transition 

(procedure) 


Outputs the transition name for 
system state analysis. 


sg_output.a 


output_unexecuted_transi- 
tions (procedure) 


Outputs the unexecuted transitions. 


sg_output.a 


output_machine_arrays 

(procedure) 


Outputs the FSM description in 
a tabular format. 


sg_output.a 


output_analysis 

(procedure) 


Driver for the output subprograms. 


sg_output.a 


system_call (procedure) 


Interface program for Unix 
system calls via C. 


ssystem.a 


queues (generic package) 


Implements the queue operations 
for the pointer queue that stores 
the nodes temporarily. 


squeues.a 


stacks (generic package) 


Implements the stack operations 
for storing enabled transitions. 


sstacks.a 


definitions (package) 


Includes user defined local and 
shared variables. 


named by the 
user 


A n al y ze_Predicates 
(procedure) there is one 
for each machine 


Determines the enabled transitions 
from the predicates. 


named by the 
user 


Action (procedure) 


Executes the actions for the 
enabled transitions. 


named by the 
user 


output_gtuple (procedure) 


Outputs the global state tuples in 
a format defined by the user. 


named by the 
user 
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B. INPUT 



The inputs to the program consists of three parts, as mentioned earlier. FSMs are 
entered using a text file representation as in Simple Mushroom program. Variables and 
predicate-action table are entered as Ada packages/subprograms. The user needs to 
complete these packages and subprograms by filling in templates provided. 

The Ada package template for the variable declarations is called “definitions.” The 
predicate- action table is entered using an Ada subprogram template which consists of one 
procedure named “Action” and two to eight procedures called 
“Analyze_Predicates_Machine*” according to the number of machines in the protocol. 
The at the end of the procedure name is replaced by the corresponding machine number 
for each machine in the protocol. 

After completing the templates described above, the user must compile these units 
with the other compilation units listed in Table 3. The program units can be compiled by 
entering a “make” command. The “make” command executes a list of shell commands in 
the “Makefile” file which contains the commands for compiling the program units 
according to their dependencies. After issuing the “make” command, the executable file is 
stored in a file named “scm.” The “Makefile” is provided to the user with the mushroom 
program. 

Each of these program units will be explained in the following subsections. The 
example ring protocol described in Chapter II is also used to illustrate how to complete the 
templates. 

1. Finite State Machines 

There are a few differences in the FSM description of Smart and Big Mushroom 
programs from Simple Mushroom program. The same reserved words are used to write the 
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FSM text file. These are listed in Figure 9. The syntax changes that must be made to this 
form are shown in Figure 16. 

In the SCM model, explicit machine numbers to show which machine the 
message sent to or received from are not needed for the transition names. Since shared 
variables are used for communication between machines, this information is included in the 
predicate-action table. The FSM text file for the example ring protocol is shown in Figure 
17. 



trans <transition name> <next_state> 
ctransition name> ::= <identifier> 

<identifier> ::= {[underline] I letter_or_digit) 
<letter_or_digit> ::= cletter > I <digit> 

Figure 16: Syntax changes for FSM description of SCM model 



start 

numbcr_of_machines 3 
machine 1 
state 0 

trans snd_datal 1 
state 1 

trans rcv_data3 0 
machine 2 
state 0 

trans rcv_datal 1 
state 1 

trans snd_data2 0 
machine 3 
state 0 

trans rcv_data2 1 
state 1 

trans snd_data3 0 
initial_state 0 0 0 
finish 

Figure 17: Text file description of the example ring protocol 
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The FSM text file is read by the input procedures and the adjacency list, which is 
used during the construction of system and global reachability graphs is generated. The data 
structure for the adjacency list is shown in Figure 18. 



visit_type is (yes, no); 
type machine_array_record_type; 
type Slink_typc is access machine_array_record_type; 
type machine_array_record_type is 
record 

transition : scm_transition_type := unused; 

next_Mstate : natural := 0; 

visited : visit_type ;= no; 

Slink : Slink_type := null; 

end record; 

type machine_array_type is array(integer range 0 .. 50) of Slink_type; 

type system_array_type is array (1 .. num_of_machine) of machine_array_type; 

Figure 18: Data structure for the adjacency list. 



2. Variable Definitions 

The user defines the protocol variables in an Ada package named definitions. This 
package includes the local variables for each machine and the global variables, which are 
considered shared and allow communication between machines. A variable can be one of 
the Ada defined types such as: integer, array, string, record, character, boolean, etc. These 
types and their subtypes are used to define the protocol variables. 

The template for the definitions package is given in Figure 19. The shaded areas 
show where the variables of the protocol are inserted by the user. Additional type 
declarations should be placed before the machine type declarations. 

The variable declarations for the example ring protocol is also shown in Figure 
20. The local variables of the protocol are: in_buffl, in_buff2, in_buff3, out_buffl, 
out_buff2, and out_buff3. The shared variables are: CHAN1, CHAN2 and CHAN3. The 
type definition, Dummy jype is placed in each of the local variable declarations of 
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machines in case the protocol has less than eight machines. When declaring the local 
variables for each machine, this dummy variable can be deleted from the corresponding 
machine. The initial values of the variables are also assigned with the variable declarations. 



with TEXT JO; 
use TEXTJO; 
package definitions is 
num_of_machines : constant ;= 
type scm_transition_type is ( 
type dummy jype is range 1..255; 




Number of machines In the specification 
(can be 2 to 8) 



type machine l_State_type is Transition names of FSMs 

record 

dummy : dummy_type; 




type global_variab!e_type is 
record 



end record; 
end definitions; 



Global (shared) variables 



Figure 19; Template for definitions package 



3. Predicate-Action Table 

The predicate-action table is represented by a number of subprograms as separate 
compilation units. These subprograms are named Analyze _Predicates and are used to 
determine the enabled transitions for each machine. The procedure named Action executes 
the actions to be taken for the corresponding enabled predicates. There is one 
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Analyze ^Predicates procedure for each machine and one Action procedure for the protocol. 
The template for the Analyze Predicates procedure is shown in Figure 21. 



with TEXT JO; 
use TEXT JO; 
package definitions is 

num_of_machines ; constant := 3; 

type scmjransitionjype is (snd jlatal,rcvjlata3,snd_data2, 

rcv_datal,snd_data3,rcv_data2, unused); 

type buffer type is (D,E ); 

package buff_enum Jo is new enumeration Jo (bufferjype); 
use buff_enum Jo; 

type dummy jype is range 1..255; 



type machinel_state_type is 
record 

outjjuffl : bufferjype := D; 

inj)uffl : bufferjype:= E; 
end record; 

type machine2_state Jype is 
record 

outJ)uff2, 

inj)uff2 : bufferjype:= E; 
end record; 

type machine3_statejype is 
record 

outJ)uff3, 

in_buff3 : bufferjype := E; 
end record; 

type machine4_statejype is 
record 

dummy : dummy_type; 
end record; 



type machine8_statejype is 
record 

dummy : dummy_type; 
end record; 

type g!obal_variable Jype is 
record 
CHAM, 

CHAN2, 

CHAN3 : bufferjype := E; 
end record; 

end definitions; 



Figure 20: Completed Definitions package for the example ring protocol 
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separate(main) 

procedure Analyze_Predicates_machinel (local : machine l_siate_type; 

global : global_variable_type; 
s : natural; 

w : in out transilion_stack_package.stack) is 

begin 




when others => 
null; 

end case; 

end Analyze_Predicates_machinel; 



Figure 21: Template for Analyze predicates procedures 



The user completes the template for each state of the machines. For each machine 
state there is one “when” statement. “If’ statements specify the predicates for possible 
transitions from the current state. The “Push” statement stores these transitions in the stack. 
Since more than one transition can be enabled in some states, a stack is used to store all 
possible transitions. The “s” parameter, in the formal parameter list of the procedure, passes 
the machine state; and the “w” parameter passes the stack name to the procedure. The file 
for the example ring protocol is given in Figure 22. 

The template for the Action procedure is shown in Figure 23. The enabled 
transitions are passed into this procedure through the “in_transition” formal parameter and 
the necessary changes are made to the local and shared variables by the Action procedure. 
The “out_system_state” parameter passes the changed protocol variables to the calling 
procedure. The completed Action procedure is shown in Figure 24. Text in boldface shows 
the user defined parts. 
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separate (main) 

procedure Analyze_Predicates_MachinelQocal : machine 1 _state_type; GLOBAL: global_variable_type; 

s : natural; w : in out transition_stack_package. stack) is 

begin 
case s is 
when 0 => 

if( (GLOBAL.CHAN1 = E) and ( LOCAL.outJwfn /- E) ) then 
Push(w,snd_datal); 
end if; 
when 1 => 

if (GLOBAL.CHAN3 /= E) then 
Push(w t rcv_daU3); 
end if; 

when others => 
null; 

end case; 

end Analyze_Predicates_Machinel; 
separate (main) 

procedure Analyze_Predicates_Machine2(local : machine2_sute_type; GLOBAL: global_variable_type; 

s: natural; w : in out transition_slack_package.sLack) is 

begin 
case s is 

when 0 => 

if (GLOBAL.CHAN1 /= E) then 
Push(w,rcv_datal); 
end if; 
when 1 => 

if ( (GLOBAL.CHAN2 = E) and (local.out_buff2 /= E) ) then 
Push(w,snd_data2); 
end if; 

when others => 
null; 

end case; 

end Analyze_Predicates_Machine2; 
separate (main) 

procedure Analyze_Predicates_Machine3 (local : machine3_state_type; GLOBAL: global _variable_type; 

s : natural; w : in out transiiion_stack_package.stack) is 

begin 
case s is 
when 0 => 

if ( GLOBAL.CHAN2 h E ) then 
push(w,rcv_daU2); 
end if; 
when 1 => 

if ( (GLOBAL.CHAN3 = E ) and (locat.out_buff3 /= E ) ) then 
push(w.snd_data3); 
end if; 

when others => 
null; 

end case; 

end Analyze_Predicates_Machine3; 
separate (main) 

procedure Analyze_Predicates_Machine4(local :machine4_state_type; GLOBAL: global_variable_type; 

s : natural; w : in out transition_stack_package.stack) is 

begin 

null; 

end Analyze_Predicates_Machine4; 



separate (main) 

procedure Analyze_Predicates_Machine80ocal : machine8_state_type;. GLOBAL: global_variable_type; 

s : natural; w : in out transition_stack_package. slack) is 

begin 

null; 

end Analyze_Predicates_Machine8; 



Figure 22: Completed Analyze Predicates procedures for the example ring protocol 
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separate(main) 

procedure Action ( in_system_state : in out Gstatc_.rccord_typc; 

in_transition : in out scm_transition_type; 
out_system_slate : in out Gstate_record_type ) 



begin 

case in_transition 
when 



Enabled transition 



Action taken 



is 



when others => 

put(“ Error in the action procedure’*); 
end case; 
end Action; 



Figure 23: Template for Action procedure 



separate (main) 

procedure Action (in_sy stem _state : in out Gstate_record_type; in_transition : in out scm_transition_type; 
out_sysiem_state : in out Gstate_record_type) is 

begin 

case (in_transition) is 

when (snddatal) => out_system_state.GLOBAL_VARIABLES.CHANI:= 
injsystem_state.machinel_state.outJbuPri; 
outsystemstate.machinelstate.outbufTl := E; 

when (rcv_data3) => out_system_state.machinel_state.in_bufTl := 

in_sy stemsta te .G LO B A L_ V A R I A B LES .C H A N3 ; 
outsystemstate.machinelsiate.outbufTl := out_system_state.machinel_state.in_bufn 
out j>ystem_state.GLOBAL_VARIABLES.CHAN3 ;=E; 

when (snd_data2) => out_system_state.GLOBAL_VARIABLES.CHAN2:= 
in_system_state.machine2_state.out_bufT2; 
out_system_state.machine2_state.out_bufT2 ;= E; 

when (rcvdatal) => out_system_state.machine2_state.in_buff2 ;= 

insy stemstate.G LO BA L_ V ARIA BLES .CH A N1 ; 
out system state.machine2_state.out_bufT2 ;= out_systefn_state.machine2_state.in_bufT2 
outsystemstate.GLOBALVARIABLES.CHANl :=E; 

when (snd data3) => out_system_state.GLOBAL_VARIABLES.CHAN3:= 
in_system_state.machine3_state.out_bufr3; 
out_system_state,machine3_state.out_buff3 := E; 

when (rcv_data2) => out_system_state.vnachine3_staU.in_buft3 :=• 

i nsystemjU te .G LO BALVARIABLES.CHAN2; 
out_system_state.machine3_state.out_buff3 := out_system_state.machine3_state.in_buff3 
out_system_state.GLOBAL_VARlABLES.CHAN2 :=E; 

when others => pulJine("There is an error in the Action procedure”); 
end case; 
end Action; 



Figure 24: Completed Action procedure for the example protocol 
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C. REACHABILITY ANALYSIS 



The process of generating the set of all states reachable from the initial state is called 
reachability analysis. The program is capable of generating both the global and system 
reachability analyses separately for a protocol specified formally by the SCM model. 

The user selects either global reachability analysis or system state analysis from a 
menu. During the graph construction, the program also detects the states with deadlock 
condition. Analysis results are stored in the output file named “rgraph.dat” in parallel with 
the graph construction. 

Generating the global reachability analysis and system state analysis will be described 
in the following subsections. 

1. Global Reachability Analysis 

The structure of the global node representation used for the program is shown in 
Figure 25. This node structure also includes the outgoing transitions. The maximum 
number of outgoing transitions is limited to 7, which can be increased if necessary. The 
shared variables are stored in the global _variables variable and local variables are stored 
separately for each machine in the machine state* variables. 

The initial global state is constructed from both the FSM text file and the initial 
values of the variables assigned in the definitions package. All the outgoing transitions are 
set to null initially. Starting with the initial global state, new nodes are added and linked to 
the graph. The algorithm for generating the global reachability graph is the same as the 
algorithm given for the system state analysis in Chapter II except that the “system states” 
must be replaced by “global states.” Figure 26 shows a pseudo-code algorithm to construct 
the global reachability graph. 
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Figure 25: Global state structure with outgoing transitions 



The program uses hashing for searching the reachability graph which increases 
the run time efficiency of the program. The reachability analysis is limited by the storage 
capacity of the computer and by the run time as in Simple Mushroom program. For 
example, the program generated 31,460 global states for a sliding window protocol of two 
machines defined in [Ref. 1] for a window size of 10. The run time for this example was 
about 10 minutes. The number of states and the run time increases greatly as the number of 
machines in the protocol increases and the protocol specifications become larger. 
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loop (main loop) 

for index 1 in I .. total number jof machines loop 
position holder (indexl ) := machine jar ray( indexl) (M state ( indexl )) 

Determine the enabled transitions for the mac hine( indexl) and push into transition stack 
While not Empty (transition stack) loop 
while (position holder (index! ) /= null) loop 
Traverse the machine arrays for each enabled transition in the stack 

if a transition found in the machine arrays create a temporary node resulting from this transition 
call Action procedure to make the necessary changes to the variables of this node 
Search the graph for this node 
if a node not found then 
insert and link the node to the graph 
Enqueue the node into the G pointer queue 
else 

link the node to the graph 
end if 
else 

position holderf indexl ) := position holder(indexl ). Slink 
end if 
end loop 

if not Empty(transition stack) and a transition not found in the machine arrays 
pop the stack 
end if; 
end loop 
end loop 

if G pointer queue Empty then 
exit 
else 

Dequeue G pointer queue 
Update M state for this new node 
end if 

end loop (main loop) 

Figure 26: Algorithm for generating global reachability graph for Big Mushroom 



2. System State Analysis 

The steps in constructing the system state graph are detailed in Chapter II. The 
structure of a system state is shown in Figure 27. Since the variables are not part of the 
system state, system state nodes are much smaller than the global state nodes. However, in 
order to determine the enabled transitions, variables are still needed for each node in the 
graph. The program stores the variables in secondary storage, instead of keeping them as a 
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part of the node, which decreases the amount of primary memory used and allows the 
analysis of larger and more complex protocols. 

The pseudo-code algorithm for constructing the system reachability graph is 
shown in Figure 28. 
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Figure 27: System state structure for Smart Mushroom program 



D. OUTPUT 

The program stores the results of the analysis in a file named “rgraph.dat.” This file 
contains FSMs in a tabular format, system/global reachability graph, and the results of the 
analysis consisting of number of states generated, number of states analyzed, and number 
of deadlocks. Unexecuted transitions are also listed at the end of the analysis. 

Since each protocol specification has different variables, the user also has the 
flexibility to output the desired variables. This is done in a similar manner to the predicate- 
action table and variable definitions representation explained earlier using an Ada 
procedure template. The template for the Output Gtuple procedure is shown in Figure 29. 
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The user completes the template with Ada “put” statements for outputting the global states. 
Since the system state tuples do not include the variables, there is no need to define an 
output format for system reachability graph. 

loop (main loop ) 

for index 1 in L. numofjrans loop 
if par ent_S state .linkfindexl ).Stransition /= unused (hen 
for index 2 in 1 .. total _num_of_machines loop 
posiotion holder := machine_array(index2) (M_state(index2)) 
while position holder /= null loop 

if position Jiolder. transition = parent _Sstate.link( index! ).Stransition then 
create a temporary system state and store the corresponding variables 
determine the enabled outgoing transitions 
search the system state graph for this node 
if node not found then 
insert the node and link to the graph 
Enqueue the node into sys _pointer _queue 
else 

link the node to the graph 
end if 
exit 
else 

positionjxolder position Jiolder. Slink 

end if 
end loop 

if an enabled transition found in the machine arrays then 
exit 
end if 
end loop 
else 
exit 
end if 
end loop 

if sys jpointer queue empty then 
exit 
else 

Dequeue the sys _pointer _queue 
update M_state 
end if 

end loop (main loop) 

Figure 28: Algorithm for generating system state graph for Smart Mushroom program 



The completed template for the output jGtuple procedure is also given in Figure 30. 
As in Simple Mushroom program, if the analysis generates more than 2000 states, the 
program gives an interim summary and continues in steps as described in Chapter III. At 
the end of the program, the user can display/print the results or continue with another 
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system/global state analysis selecting the desired options from the menu. The output of the 
program for the example ring protocol is given in Figures 31 and 32. 



separate (main) 

procedure output_Gtuple (tuple : in out Gstate_record_type) is 
begin 

if print_header then 
newjine(2); 

header format for the variables 

print_header := false; 
else 

put(T & integer’ image (tuple.machine_state (1» ); 
put(“ , “); 




machine 1 local variables 



put(“[“ & integer’image (tuple.machine_state (2)) ); 
put(“ , “); 



put(“t“ & integer’image (tuple.machine_state (8)) ); 
put(“ , “); 

► global variables 



end if; 

end output_Gtuple; 

Figure 29: Template for outputjGtuple procedure 
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separate (main) 

procedure output_Gtuple( tuple : in outGstate_record_lype) is 
begin 

if print_header then 
new_line(2); 
set_col(5); 

put_line(“ ml(in_bufn,out_bufTl), m2(in_buff2,out_buff2),m3(in_buff3,out_buff3), 
(CHAN1,CHAN2,CHAN3)”); 
print_header := false; 
else 

put(“ [" & integer'image(luple.machine_state(l)) ); 
put(“ , “); 

buff_enum_io.put(tuple.machinel_state.in_buffl); 
put(“ , “); 

buff_enum_io.put(tuple.machinel_state.<>ut_buffl); 

put(“ & integer'image(tuple.machine_state(2)) ); 
put(“ , “); 

buff_enum_io.put(tuple.machine2_state.in_buff2); 
pul(“ , “); 

buff_enum_io.put(tuple.machine2_state.out_buff2); 
put(“ , “); 

put(integer'image(tuple.machine_state(3)) ); 
put(“,“); 

buff_enum_io.put(tuple.machine3_state.in_bufT3); 
put(“ , “); 

buff_enum_io.put(tuple.machine3state.out_buff3); 
put(“ , “); 

bu(T_enum_io.put(tuple.GLOBAL_VARIABLES.CHANl); 
put(“ , “); 

buff_enum_io.put(tuple.GLOBAL_VARIABLES.CHAN2); 
put(“ , “); “ 

buff_enum_io.put(tuple.GLOBAL_VARIABLES.CHAN3); 
put(“ ]”); ' 
end if; 

end output_Gtuple; 

Figure 30: Completed output Gtuple procedure for the example protocol 
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REACHABILITY ANALYSIS o£ : ring, scan 
SPECIFICATION 



Machine 1 State Transitions 



From | To | Transition 



0 | 1 | snd_datal 

1 I 0 | rcv_data3 



Machine 2 State Transitions 



From | To | Transition 



0 | 1 | rcv_datal 

1 | 0 | snd_data2 



Machine 3 State Transitions 



From | To | Transition 



0 | 1 | rcv_data2 

1 | 0 | snd_data3 



GLOBAL REACHABILITY GRAPH 

ml(in_bufn t oul_buffl) t m2(in_bufT2 t oul_bufr2),m3{in_buff3,out_buff3),(CHANl,CHAN2,CHAN3) 
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SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Number of states generated : 12 
Number of states analyzed :12 
Number of deadlocks : 0 

UNEXECUTED TRANSITIONS 
*****jlONE***** 



Figure 31: Program output for global reachability analysis 
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REACHABILITY ANALYSIS of :ring.scm 



SPECIFICATION 



| Machine 1 State 


Transitions | 


| From | To | 


Transition | 


1 0 | 1 1 


snd_datal | 


1 1 1 o 1 


rcv_data3 1 




| Machine 2 State 


Transitions | 


| From | To | 


Transition | 


1 0 | 1 | 


rcv_datal | 


1 1 1 0 | 


snd_data2 | 




| Machine 3 State 


Transitions | 


| From | To | 


Transition | 


1 0 | 1 | 


rcv_data2 | 


1 1 1 0 | 


snd_data3 | 



SYSTEM REACHABILITY GRAPH 
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SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Number of states generated :6 
Number of states analyzed :6 
Number of deadlocks : 0 



UNEXECUTED TRANSITIONS 
*****flONE***** 



9 

Figure 32: Program output for system state analysis 



2. The number next to “]” sign shows the subscripts that is explained in Chapter II. 
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V. EXAMPLES FOR USING THE MUSHROOM PROGRAM 



In this Chapter, the programs Simple Mushroom, Big Mushroom, and Smart 
Mushroom are demonstrated with several examples. 

The Simple Mushroom program will be used to analyze a simple example four 
machine protocol which illustrates some important aspects of the program, such as 
detecting unspecified receptions, unexecuted transitions etc. Also, the information transfer 
phase of a full duplex LAP-B protocol specified by the CFSM model will be analyzed. This 
protocol illustrates a larger and more complex analysis. 

The Big Mushroom and Smart Mushroom programs will be used to analyze the GO 
BACK N protocol with a window size of 10, and the Token Bus protocol, which illustrates 
some important aspects of the system state analysis. 

A. CFSM MODEL 

1. A Simple Four Machine Protocol 

The specification of the protocol using the CFSM model is shown in Figure 33. 
Each of the machines sends/receives a message/acknowledgment from another machine. 
Machines 2 and 3 also have another send transition from state 1 to state 3. The FSM 
description of the protocol is shown in Figure 34, and analysis results obtained by the 
Simple Mushroom program are shown in Figure 35. The analysis generated 36 global states. 
There are three unspecified receptions and one unexecuted transition. No deadlocks or 
channel overflows are recorded. The maximum channel size is 2. These results are obtained 
by simply entering the FSM text file into the program. This analysis would be very 
cumbersome to do manually, even for a simple specification like this one. 
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MACHINE 1 MACHINE 2 




MACHINE 3 



MACHINE 4 





the example four machine protocol 



start 

number_of_machines 4 

machine 1 

state 1 

trans -D 2 2 

state 2 

trans +A 1 3 

machine 2 

state 1 

trans -D 3 3 

trans +D 2 1 

state 2 

trans +D 1 4 

machine 3 

state 1 

trans -A 3 1 

trans +D 2 2 

state 2 

trans -D 1 4 

machine 4 

state 1 

trans +D 2 3 
state 2 
trans -D 1 2 
initial_state 1111 
finish 



Figure 34: FSM text file for the example protocol 
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REACHABILITY AHALYSIS of : fourMchin*. fn 
SPECIFICATION 

Machine 1 State Transition* | 

From | To | othar machine | Transition | 

1 I 2 | 2 I * D | 

2 I 1 | 3 I r A | 



Machine 2 Stats Transitions 
From | To | other machine | Transition 

1 | 3 | 3 I • D 

1 | 2 | 1 | r D 

2 I 1 I 4 I r D 



Machine 3 Stats Transitions 
From | To | other machine | Transition 

1 I 3 | 1 I * A 

1 | 2 | 2 I r D 

2 | 1 | 4 I * D 



Machine 4 State Transitions 



From | To | other machine | Transition 



1 I 2 | 3 I r D 

2 | 1 | 2 | s D 



REACHABILITY GRAPH 

1 [ 1 , E, E, E, 1, E, E, E, 1 , E, E , E , 1,E,E,E] 

-D 2 [ 2, D , E, E, 1 , E, E, E, 1,E,E,E, 1,E,E,E] 2 

-D 3 [ 1 , E, E, E, 3 , E , D , E, 1,E,E,E, 1,E,E,E] 3 

-A 1 [ 1, E, E, E, 1 , E , E , E, 3, A ,E,E, 1,E,E,E] 4 

2 [ 2, D , E, E, 1,E,E,E, 1,E,E,E, 1,E,E,E] 

-D 3 [ 2 , D , E, E, 3 , E, D , E, 1, E, E, E, 1,E,E,I] 5 

+D 1 [ 2, E, E, E, 2,E,E,E, 1, 1,1,1, 1,1, 1,1] € 

-A 1 [ 2, D ,1,1, 1,1, E,E, 3, A ,1,1, 1 , E , E , E ] 7 

3 [ 1,1, 1,1, 3, E, D ,1, 1,1, 1,1, 1, E, E, E] 

-D 2 [ 2, D , E, E, 3, E, D ,1, 1,E,E,E, 1,1, 1,1] 5 

-A 1 [ 1,1, 1,1, 3 , E , D ,1, 3, A , E, E, 1, 1,1,1] 8 

+D 2 [ 1,1, 1,1, 3,E,E,E, 2, 1,1,1, 1 , E , E , E ] 9 

4 [ 1,1, 1,1, 1, E, E, E, 3, A ,1,1, 1, 1,1,1] 

-D 2 [ 2, D ,1,1, 1, 1,1,1, 3, A ,1,1, 1,1,1,11 *7 

-D 3 [ 1,1, I, I, 3 , E, D ,1, 3, A ,1,1, 1 , E, E, E] 8 

5 [ 2 , D ,1,1, 3, E, D ,1, 1,1, 1,1, 1 , E, E, E] 

-A 1 [ 2, D ,1,1, 3 , E, D ,1, 3, A ,1,1, 1,E,E,E] 10 

+D 2 [ 2, D ,1,1, 3 , E, E , E , 2, 1,1,1, 1 , E , E, E] 11 

6 [ 2, 1,1,1, 2, E, E, E, 1, E,E,E, l,E,E,Ej 

-A 1 [ 2, I, 1,1, 2, E , E, E, 3 , A ,1,1, 1,E,E,E] 12 

7 [ 2 , D ,1,1, 1, E, E, E, 3, A ,1,1, 1,E,E,E] 

+A 3 [ 1 , D ,1,1, 1 , E , E, E, 3, 1,1,1, 1 , E , E , E] 13 

-D 3 [ 2, D ,1,1, 3 , E, D ,1, 3, A ,1,1, 1,E,E,E] 10 

+D 1 [ 2, 1,1,1, 2 , E , E , E , 3, A ,1,1, 1,E,E,E] 12 

6 [ 1,1, 1,1, 3, E, D , I, 3, A ,E,E, 1,I,I,E] 

-D 2 [ 2, D ,1,1, 3 , E, D ,1, 3, A , E, X, 1,E,I,I] 10 

9 [ 1, 1,1,1, 3, E, E, E, 2, 1,1,1, 1, E, E, E] 

-D 2 [ 2, D ,1,1, 3 , E, E, E, 2, 1,1, 1, 1,E,E,E] 11 

-D 4 [ 1,1, 1,1, 3 , E, E, E , 1, E, E, D , 1,E,E,E] 14 

10 [ 2, D ,1,1 3 , E, D , E, 3, A ,E,E, 1,E,E,E] 

+A 3 [ 1 , D ,1,1, 3 , E, D ,1, 3, 1,1,1, 1 , E , E, E ] IS 

11 [ 2 , D ,1,1, 3, E, E, E, 2, E, E, E, 1,1, 1,1] 

-D 4 [ 2, D ,1,1, 3 , E, E, E, 1,E,E,D , 1,1, 1,1) 16 

12 [ 2, E, E, E , 2, 1,1,1, 3, A ,1,1, 1,E,E,E] 

+A 3 [ 1,1, 1,1, 2, E, E, E, 3, 1,1,1, 1, E, E, E] 17 

13 [ 1 , D ,1,1, 1, E, E, E, 3, I, 1,1, 1 , E, E, E] 

-D 2 [ 2, D D ,1,1, 1, E, E, E, 3, 1,1,1, 1,E,E,E] 18 

-D 3 [ 1, D ,1,1, 3 , E, D , E, 3,1,1, 1, 1,E,E,E] 15 

+D 1 [ 1,1, 1,1, 2 , E, E, E , 3, 1,1,1, 1, E, E, E] 17 
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14 


[ 1,*,*,*, 


3, 1,1,1, 1 , E, E, D , 1 , E , E , E ] 






-D 2 


[ 2, D ,E,E, 3, E, E, E, 1,E,E,D , 1,E,E,E] 


16 




-A 1 


[ 1,1, I, I, 3, E, E , E, 3, A , E, D , 1,1, 1,1] 


19 




+D 3 


[ 1, E, E, E, 3, E, E, E, 1, E, E, E, 2,E,E,E] 


20 


15 


[ 1,D ,E, 


E, 3, E, D ,1, 3, 1,1,1, 1, E, E, E] 






-D 2 


[ 2,D D ,E,I, 3, E, D , E, 3,E,E,E, 1,E,E,E] 


21 


16 


[ 


E, 3, E, E, E, 1, E, E,D , 1,E,E,E] 






-A 1 


[ 2, D ,1,1, 3, E, E, E, 3, A ,E,D , 1,1, 1,1] 


22 




4D 3 


[ 2, D , E, E, 3 , E , E, E, 1,E,E,E, 2,E,E,E] 


23 


17 


[ 1, 


2, 1,1,1, 3 , E , E, E , 1, E, E, E] 






-D 2 


[ 2 , D , E, E, 2, E, E, E, 3,E,E,E, 1,E,E,E] 


24 


18 


[ 2, D D 


, E,E, 1,1, 1,1, 3, E, E, E, 1 , E , E , E ] 






-D 3 


[ 2, D D ,1,1, 3, E, D , E, 3,E,E,E, 1,1, 1,1] 


21 




4D 1 


[ 2, D ,1,1, 2,E,E,E, 3, 1,1,1, 1 , E, E, E] 


24 


19 


[ 1,b,b,b, 


3, 1,1,1, 3, A , E , D , 1,1, 1,1] 






-D 2 


[ 2, D ,1,1, 3, E, E, E, 3, A , E, D , 1,1, 1,1] 


22 




+D 3 


[ 1,1, 1,1, 3, E, E, E, 3, A ,1,1, 2, E, E, E] 


25 


20 


[ 1» E, E, E, 


3,E,E,E, 1 , E, E , E , 2,E,E,E] 






-D 2 


[ 2, D ,1,1, 3, E, E, E, 1,1, 1,1, 2, E, E, E] 


23 




-A 1 


[ 1,1, 1,1, 3, E, E, E, 3, A ,1,1, 2, E, E, E] 


25 




-D 2 


[ 1, B, E, E, 3, E, 8, B, 1,1, 1,1, 1,E,D ,E] 


26 



21 

22 



23 



24 



32 

33 

34 

35 

36 



2, D 
2,D 
+A 
+D 
2,D 
-A 
-D 
2, D 



, E, E, 3 , I, D ,E, 3, I, I, I, l,E,E,E]**********Unapecified Reception* 



,E,E 

3 

3 

,*r* 

1 

2 



3, E, E, E, 3, A ,E,D , 1,E,E,E] 

1 , D , E, E, 3,E,E,E, 3, E, E, D , 1,1, 1,1] 27 

2, D ,1,1, 3, E, E, E, 3, A ,1,1, 2, E, E, E] 26 

3, 1, E, 1, 1,1, 1,1, 2, E, E, E] 

2, D ,1,1, 3,1, 1,1, 3, A ,1,1, 2, E, E, E] 26 

2, D ,1,1, 3 , E , E, E , 1,1, 1,1, 1 , E, D ,E] 29 

2, E, E, E, 3 , E, E , E , 1, E, E, E] **********Unapecif ied Reception* 



25 


[ 




3, E, E, E, 3, A ,E,E, 2,E,E,E) 








-D 


2 


[ 2, D ,1,1, 3, E, E, E, 3, A ,1,1, 2,E,E,E] 


28 






-D 


2 


[ 1, E, E, E, 3, E, E , E, 3, A ,E,E, 1,E,D , E] 


30 


26 


[ 


1,E, E,E, 


3, E, E, E, 1 , E, E, E, 1,E,D , E] 








-D 


2 


[ 2, D ,1,1, 3 t Z,t,Z, 1,1, 1,1, 1, E, D , E] 


29 






-A 


1 


[ 1,1, E,E, 3, 1,1,1, 3, A ,1,1, 1 , E , D ,E) 


30 


27 


[ 


1,D 




E, 3,E,E,E, 3, E, E,D , 1,E,E,E) 








-D 


2 


[ 2, D D ,1,1, 3,E,E,E, 3 , 1, E,D , 1,1, 1,1] 


31 






+D 


3 


[ 1, D ,1,1, 3, E, E, E, 3, 1,1,1, 2, E, E, E] 


32 


28 


[ 


2,D 




1, 3, 1,1,1, 3, A ,1,1, 2,E,E,E] 








+A 


3 


[ 1, D , E, E, 3, E, E, E, 3, E, E, E, 2,E,E,E] 


32 






-D 


2 


[ 2, D , E, E, 3, E, E, E, 3, A , E, E, 1,E,D ,E] 


33 


29 


t 


2,D 


,1, 


E, 3, E, E, E, 1, K, E, E, 1,E,D , E] 








-A 


1 


[ 2, D ,1,1, 3, E,E,E, 3, A ,1,1, 1, E, D ,E] 


33 


30 


[ 




3, E, E, E, 3, A , E, E, 1,E,D , E] 








-XX 


2 


[ 2, D ,E,E, 3, E, E, E, 3, A ,E,E, 1,E,D ,E] 


33 


31 


[ 


2 , D 


D 


,1,1, 3, E, E, E, 3, E, E, D , 1,E,E,E] 








+D 


3 


[ 2, D D , E, E, 3, E, E, E, 3,E,E,E, 2,E,E,E] 


34 



1, D ,1,1, 3, E, E, E, 3, 1,1,1, 2, E, E, E] 

-D 2 [ 2, D D ,1,1, 3, E, E, E, 3, 1,1,1, 2,E,E,E] 34 

-D 2 [ 1, D ,1,1, 3, E, E, E, 3, 1,1,1, 1,E,D ,E] 35 

2, D ,E,E, 3, E, E, E, 3, A ,E,E, 1,E,D , t] 

+A 3 [ 1, D ,1,1, 3, E, E, E, 3, 1, 1, 1, 1,E,D , E] 35 

2, D D ,1,1, 3, E, E , E, 3, 1,1,1, 2,E,E,E] 

-D 2 [ 2, D D ,1,1, 3, E, E, E, 3, 1,1,1, 1,E,D ,E] 36 

1, D ,E,E, 3, E, E, E, 3,E,E,E, 1, E, D , E] 

-D 2 [ 2, D D ,1,1, 3, E, E, E, 3,1,1, 1, 1,E,D ,E] 36 

2, D D ,1,1, 3 , E, E, E, 3, 1,1,1, 1,E,D , E] 



Unspecified Reception*********** 



SUMMARY Or REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 

36 



Totel number of atatea generated 
Nxaaber of atatea analysed : 36 
nwber of deadlocka : 0 
masker of unapecified reception* 

maximum aeaaage queue aise : 2 

channel overflow :NONE 



: 3 



UNEXECUTED TRANSITIONS 



1 


Machine 


2 Unexecuted 


Tranaitiona | 


| From 


1 To | 


other machine | 


Unexecuted Tranaition | 


1 2 


1 1 1 


4 1 


r D | 



Figure 35: Program output for the example protocol 
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2. Analysis of Information Transfer Phase of the LAP-B Protocol 

In this Section, analysis of a Data Link Control (DLC) protocol is described using 
the Simple Mushroom program. The LAP-B protocol is modeled and analyzed with CFSM 
model [Ref. 14]. A simplified analysis of the information transfer phase of the protocol, 
which includes only I-ffames with a window size of 2, will be described below. 

This analysis is important in two ways. First, it verifies that the program is correct 
by obtaining the same analysis results as in [Ref. 14]. Secondly, it is a good example to 
show that the total number of global states can be very large, even for such a limited 
protocol. The description of the information transfer phase is explained below as it appears 
in [Ref. 14], 

The network nodes, which are connected by the protocol, consist of a Data 
Terminal Equipment (DTE) and a Data Circuit Terminating Equipment (DCE). In this 
model, DTE and DCE are considered process 1 and process 2 respectively. Each of these 
processes are also modeled as three sub-processes: Sender, Receiver and Frame Assembler 
Disassembler (FAD), which are numbered as 1 or 2 according to their process numbers. 

Figure 36 shows the processes and how they are connected. The FAD process 
combines data blocks from the Sender with acknowledgments from the Receiver, into 
complete I-frames and sends the I-frames to the FAD of the other process. The FAD also 
breaks up the I-frames received from the other FAD and sends the acknowledgment to the 
Sender, and data blocks to the Receiver. 

I-frames are expressed by the notation “Inm”, where n is the send sequence 
number N(S), and m is the receive sequence number N(R). The message “Di” is a data 
block sent from the Sender to the FAD, or from the FAD to the receiver; it is the data block 
which is to be placed in, or which is taken out of, the I-frame. The “i” in “Di” is the send 
sequence number. The message “Ai” is an acknowledgment with a receive sequence 
number of i. 
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DTE DCE 
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Figure 36: Processes for the Information Transfer Phase 



The finite state machines for the Sender, Receiver and FAD of the DTE are shown 
in Figures 37, 38 and 39. The FSMs for the DCE are the same except that FAD1, 
RECEIVER 1, and SENDER 1 must be replaced with FAD2, RECEIVER2, and SENDER2 
respectively. Since no RR-frames are used, I-frames can only be acknowledged by 
receiving an N(R) from an incoming I-frame. 

As an example, suppose the DTE Senderl has 3 data blocks to send. It can go 
from state 1 to state 2, sending “DO,” and then to state 3, sending the second block as “Dl.” 
At this point, 2 data blocks are outstanding, so it must wait for an acknowledgment of at 
least one of them before sending the third. 

The DTE FAD1 process, initially in state 1, will receive the DO from Senderl and 
enter state 2. It then sends an “enquiry” to the Receiverl to get the latest acknowledgment, 
an N(R), for the data blocks received from the DCE. 

Since no data blocks have been received by the DTE yet, Receiverl will respond 
with an “AO.” FAD1 will receive the AO, and will transition from state 8 to 1 1. The FAD1 
will then return to state 1 sending the I-frame “100.” Similarly, the FAD1 will receive the 
second data block, Dl, and transmit it as “110” after combining with “AO.” 

FAD2 will receive the “100” frame first, entering state 20. It then splits this I- 
frame and sends the “DO” to Receiver2, and “A0” to Sender2. 

Sender2 is in state 1, and simply discards this “A0.” Receiver2 is in state 1, 
accepts the “DO” data block and transitions to state 2. 

Similarly, The DCE FAD2 process receives the “110” message, and sends the 
“Dl” to Receiver 2, and “A0” to Sender 2. Sender 2 will discard the “A0”, remaining in 
state 1, and Receiver 2 will receive “Dl,” transitioning to state 3. 

Suppose at this point a user data block becomes available to send at the DCE. It 
will send an “102” frame across the data link to the DTE; and upon receiving the 102, the 
DTE will now be able to send the third user data block. 
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+A1, FAD1 
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Figure 37: Sender 1 [Ref. 14] 
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Figure 38: Receiver 1 [Ref. 14] 



(TO DISASSEMBLER PART) 
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Figure 39a: Frame Assembler Disassembler FAD1 (Assembler Part) [Ref. 14] 




(TO ASSEMBLER PART) 
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Figure 39b: Frame Assembler Disassembler FAD1 (Disassembler Part) [Ref. 14] 



For the automated analysis of the protocol, the FSMs in Figures 37, 38, and 39 are 
converted to a text file and entered into the program as shown in Appendix A. The 
transition names in this text file are the same as in the FSM diagrams, such as “+I00”, 
“+D0” etc. In order to save memory and generate a larger number of states in the analysis, 
the transition names can be abbreviated to single characters at the time of the analysis as 
shown below: 



DO ->X 


100 -> 1 


D1 -> Y 


101 -> 2 


D2 ->Z 


102 -> 3 


AO -> A 


110 -> 4 


A1 -> B 


111 -> 5 


A2 ->C 


112 -> 6 


ENQ -> Q 


120 -> 7 

121 -> 8 
122 -> 9 



The amount of memory available and the CPU time are always a concern for a full 
reachability analysis. The program output for the analysis is partially given in Appendix A. 
Because of the size of the analysis, only a very small portion of the reachable states are 
included in the output. The total number of global states generated for the information 
phase was 73391. There were no unspecified receptions, unexecuted transitions, and 
channel overflows. The maximum channel length was 6. A deadlock condition was found 
at state 17034 where all the channels were empty and Senderl, Receiverl, FAD1, FAD2, 
Sender2, Receiver2 were in states 3, 3, 1, 1, 3, 3 respectively. This state deadlock is 
expected since RR-frames are not included in the analysis. A more detailed explanation 
including the RR-frames in the protocol is given in [Ref. 14]. The reader may note that the 
results of the analysis exactly match with the results reported in Reference 14. The 
deadlock state found in Reference 14 was 67699, which was recorded at state 17034 in this 
analysis. However, the global states are the same for both analyses. The Simple Mushroom 
program uses a Breadth-First Search algorithm for choosing the states from the work set 
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(i.e, global states that are generated, but have not been analyzed yet). The protocol verifier 
PROVE, used in Reference 14 might be using a Depth First Search approach, which would 
result in a different global state number. 

The protocol, including the RR-frames, was also entered into the program, but the 
program could not complete the analysis due to insufficient computer memory. In this 
analysis, 153565 global states were generated. No unspecified receptions, deadlocks or 
channel overflows were recorded for the analyzed portion of the protocol. The maximum 
channel size reached was 4. The program completed the analysis in 1 1 hours 5 1 minutes on 
a Sun SPARC station. 

B. SCM MODEL 
1. Go Back N 

The first protocol selected for analysis using the Big Mushroom and Smart 
Mushroom programs is a 1-way data transfer protocol with a variable window size, >vhich 
is essentially a subset of the High-level Data Link Control (HDLC) class of protocols. This 
protocol is modeled and analyzed with the SCM model in [Ref. 1]. The same specification 
will be used here and an automated analysis will be described using the programs 
developed for a window size of 10. The specification is summarized below: 

There are two machines in the system, a sender ( mj ) and a receiver (m 2 ). The 
sender sends data blocks to the receiver, which are numbered sequentially, 0, 1,..., w, 0, 1, 
... for a window size of w. As in HDLC, the maximum number of data blocks which can be 
sent without receiving an acknowledgment is w, the window size. The receiver, m 2 , 
receives the data blocks and acknowledges them by sending the sequence number of the 
next data block expected (which is stored in local variable exp). The shared variables 
DATA and SEQ are used to pass messages from sender to receiver, and the shared variable 
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ACK is used to pass acknowledgments back to the sender. The receiver may acknowledge 
any number of blocks received up to the window size. Upon receiving the 
acknowledgment, the sender must be able to deduce how many data blocks are being 
acknowledged. This is done by observing the difference between the values of the received 
acknowledgment and the sequence number of the last data block sent. 

The general specification of the protocol is given in Figure 40 and in Table 4. 
Initially, both sender and receiver are in state 0, arrays DATA and SEQ are empty, and 
ACK is empty. The domains of DATA, Rdata and Sdata are not specified; these are used 
to hold user data blocks. Sdata and Rdata are the interface or access points of the higher 
layer (user) protocol. The local variables for the sender are Sdata, used to store data blocks, 
seq, used to store the sequence number of the next data block to be sent out, and /, used as 
an index into the DATA and SEQ arrays. Initially seq is set to 0, and i is set to 1. The local 
variables of the receiver are Rdata, exp, and j. Rdata is used to receive and store incoming 
data blocks, exp to hold the expected sequence number of the next incoming data block, and 
j is an index into the shared arrays DATA and SEQ. 

The states of both sender and receiver are numbered 0, 1, ..., w, and each state has 
an easily recognized intuitive meaning. If the sender is in state 0, then all data blocks sent 
to date have been received by the receiver, so a full window size of w data blocks may be 
sent without waiting for an acknowledgment. If mj is in state w, then a full window of 
blocks have been sent, so the sender can only wait for the acknowledgment from the 
receiver. 

If the receiver, n% 2 , is in state 0, then all received data blocks have been 
acknowledged. If in state w, then a full window of data blocks have been received, but not 
acknowledged. Whenever the receiver sends an acknowledgment, all data blocks received 
up to that point are acknowledged. 
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DATA SEQ 




seq : (0 , 1 , 2 w) 

i : ( 1 , 2 , . . . , w) 



w 



ACK 




Rdala : 



exp : (0 , 1 , 2 , . . . , w) 
j«(l}2i«.*9 w) 



Figure 40: State machines and variables for Go Back N 



TABLE 4: PREDICATE-ACTION TABLE FOR GO BACK N 



Transition 


Enabling Predicate 


Action 


-D 


DATA(/) = e a SEQ(i) = e 


DATA(/) <— Sdata(i) 
SEQ(t) <— seq 
inc(i, seq) 


+Ar 

(0 < k < w) 


ACK © k = seq a ACK * e 
(next state : k) 


ACK <-e 


+D 


DATAO) * £ a SE Q(J) = exp 


Rdata 4- DATA (j) 
DATA (/), SEQO) 4- e 
inc (j, exp) 


-A 


DATA(/)=£ 


ACK 4— exp 
Rdata 4- e 
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The enabling predicate and action for each transition are shown in Table 4. The 
label or transition name is the leftmost column, the enabling predicate in the middle, and 
the corresponding action on the right. There are four basic types of transitions. In the 
sender, m } , the -D transition transmits a data block by placing it into the shared variable 
DATA(/), and the sequence number into SEQ(i). The send is enabled whenever those 
variables are empty. (The interaction between the sender and the user, or higher layer, is 
implicit, and not specified here). The inc operation increments its arguments, if less than 
their maximum value, in which case it resets them to the minimum value. The operator © 
represents the inc operation repeated k times, if the argument is k and the symbol £ denotes 
the empty value. The receive transition in the receiver, mj, is enabled whenever a data block 

of the appropriate sequence number is in the y'th element of DATA and SEQ. An 
acknowledgment may be sent by m 2 in any state except 0, in which case no unacknowledged 
data blocks have been received. 

The remaining transition is the +A/ C receive acknowledgment, in mj. If mj is in 
state u, 1 < u < w, and there is a nonempty value in shared variable ACK, then exactly one 
of the transitions +Aq, +Aj, ..., +A w .j will be enabled; it will be that A * such that the 

predicate ACK©/: = seq is true, and the next state is k. [Ref. 1] 

For analyzing this protocol using the Big Mushroom and Smart Mushroom 
programs, the inputs to the program must be completed. These consist of a text file 
description of FSMs, the package, definitions, which include the variables of the protocol, 
and the subprograms Analyze Predicates _Machines and Action, which define the 
predicate-action table. Also an OutputGtuple procedure, which defines the output format 
for the global tuples, must be entered. Completed packages/procedures for a window size 
of 10 are given in Appendix B. 

The same names are used for local and shared variables in the package definitions 
as in the predicate-action table. Variables DATA, ACK and Sdata are declared as one 
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dimensional arrays of size 10, which is the window size. Local variables seq and exp and 
index numbers i and j are declared as integers in the range 0 to 10. Global variable ACK is 
declared as integer in the range -1 to 10, where -1 represents e value in the predicate-action 
table. An enumeration type, buffer jype, is declared for storing the data passed by the upper 
layer to local variable Sdata. Data are declared as dO, dl, .., d9,e, where e represents the £ 
value. Transition names in the specification are defined as snddata, rev data, sndack, 
rcvacki for -D, +D, -A, and +A t in predicate-action table respectively. 

Actions and predicates are also translated to Ada statements in the subprograms 
Analyze predicates ^Machines and Action. For each state in both machines there is a 
“when” statement. The predicates for the outgoing transitions from that state are translated 
to Ada with “if’ conditional statements. Actions in the predicate-action table are converted 
to Ada statements with “when” statements (see Appendix B). 

The program generated 286 system states and 31,460 global states, which are 
identical with the results obtained by the formulas given in [Ref. 1]. The protocol is free 
from deadlocks and there are no unexecuted transitions. The difference between the 
number of system and global states shows the power of the system state analysis which 
reduced the number of states in the reachability graph exponentially. However, without the 
Smart Mushroom program, the system state analysis would be cumbersome to do manually, 
and the global reachability analysis would be infeasible. 

2. Token Bus 

Another example of the program application, the token bus specification in [Ref. 
15] will be used. The specification is a simplified one. It assumes that the transmission 
medium is error free and all transmitted messages are received undamaged. Both the system 
state analysis and global analysis are generated from this token bus specification for a 
protocol consisting of 8 machines. 
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The specification of this simplified protocol is given in Figure 41 and Table 5. The 
FSM diagram and the local variables are the same for each machine, where the transition 
names: ready, rev, pass, get-tk, pass-tk, Xmit, and moreD are appended with the 
corresponding machine number to the end for each machine in the specification. For 
example, transitions for machine 7 are named as ready7, rcv7, pass7, etc. This makes it 
easier to follow the reachability graphs. The remainder of the protocol specification as 
described in Reference 15 is as follows: The shared variable, MEDIUM, is used to model 
the bus, which is “shared” by each machine. A transmission onto the bus is modeled by a 
write into the shared variable. The fields of this variable correspond to the parts of the 
transmitted message: the first field, MEDIUM. T, takes the values T or D, which indicate 
whether the frame is a token or a data frame. The second field contains the address of the 
station to which the message is transmitted (DA for “destination address”); the next field, 
the originator (SA for “source address”); and finally the data block itself. 

The network stations, or machines, are defined by a finite state machine, a set of 
local variables, and a predicate-action table. The initial state of each machine is state 0, and 
the shared variable is initially set to contain the token with the address of one of the stations 
in the “DA” field. 

The value of local variable next is the address of the next or downstream neighbor, 
and these are initialized so that the entire network forms a cycle, or logical ring. 

The local variable / is used to store the station’s own address. As implied by the 
names, the local variables inbuf and outbuf are used for storing data blocks to be transmitted 
to or retrieved from other machines on the network. The latter of these, outbuf, is an array 
and thus can store a potentially large number of data blocks. The local variable ctr serves 
to count the number of blocks sent; it is an upper bound on the number of blocks which can 
be sent during a single token holding period. The local variable j is an index into the array 
outbuf 
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/ DA SA data 



MEDIUM 




DA S/l data 

inbuf 



i : ( my address) 

next : (address of next station) 

ctr : ( /, 2, k+1 ) 

j • ( 1 mf k ) 




Figure 41: FSM and variables for the network nodes 

The local variables j and ctr are initially set to 1, and inbuf and outbuf are initially 
set to empty. The shared variable MEDIUM initially contains the token, with the address of 
the station in the DA field. Thus the initial system state tuple is (0,0, ..., 0) and the first 
transition taken will be get-tk by the station which has its local variable i equal to 
MEDIUM. DA. 

Each machine has four states. In the initial state, 0, the stations are waiting to 
either receive a message from another station, or the token. If the token appears in the 
variable MEDIUM with the station’s own address, the transition to state 2 is taken. When 
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taking the get-tk transition, the machine clears the communication medium and sets the 
message counter ctr to 1. In state 2, the station transmits any data blocks it has, moving to 
state 3, or passes the token, returning to state 0. In state 3, the station will return to state 2 
if any additional blocks are to be sent, until the maximum count k is reached. When the 
count is reached, or when all the station’s messages have been sent, the station returns to 
state 0. 

The receiving station, as with all stations not in possession of the token, will be in 
state 0. The message will appear in MEDIUM , with the receiving station’s address in the 
DA field. The receiving transition to state 1 will then be taken, the data block copied, and 
MEDIUM cleared. By clearing the medium, the receiving station enables the sending 
station to return to its initial state (0) or to its sending state (2). 



TABLE 5: PREDICATE- ACTION TABLE FOR THE NETWORK NODES 



Transition 


Enabling Predicate 


Action 


rev 


MEDIUM. {t, DA) = ( D, i ) 


inbuf <— MEDIUM. {SA, data) 


ready 


true 


MEDIUM <- 0 


get-tk 


MEDIUM, (r, DA) = (T, i) 


MEDIUM <r- 0; ctr <- 1 


pass 


outbuf\j] =0 


MEDIUM <— ( T, next , t, 0) 


Xmit 


outbuf [/] * 0 


MEDIUM <- outbuf [j]\ 
ctr <— ctr 0 /; j <— j 0 1 
outbuf \j] <— 0 


moreD 


MEDIUM = 0 a outbuf [/] * 0 


null 


pass-tk 


MEDIUM = 0 a 
( outbuf [j] =0vctr = k+l) 


MEDIUM <— ( T, next, i, 0) 
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The symbol “0” indicates that the variable should be incremented unless its 
maximum value has been reached, in which case it should be reset to the initial value. The 
notation MEDIUM. (t, DA) is used to denote the first two fields of the variable MEDIUM. 
For example, MEDIUMft, DA) = (T, i) is a boolean expression which is true if and only if 
the first field of MEDIUM contains the value T, and the second field contains the value i. 
Other notations in the predicate-action table such as “a”, “v”, etc. are intuitive. 

The inputs to the program for the reachability analysis of this protocol are given 
in Appendix C. The same names as in the specification are used for the local and global 
variables in the package definitions. Also, the “empty” value is represented by “E” and the 
data are represented by “I” in this package. The upper bound on the number of data blocks 
in the outbuf variable is set to 7. 

The system state analysis alone did not give a complete analysis due to some 
loops in the FSMs of the SCM specification. Since the system state analysis assumes that 
two system states are equivalent if both the machine state tuples and the outgoing 
transitions are the same, this can cause the system state analysis to give insufficient results 
in some special cases. For example, incomplete results can arise when the FSMs of the 
specification include some loops that result with the same states and enabled transitions 
repeatedly. In such specifications, some of the transitions will stay unexecuted, resulting an 
incomplete analysis. This situation is observed in this specification when one of the 
machines had two or more data blocks in its outbuf \ocd\ variable. For instance, if machine 
1 has two data blocks in its outbuf local variable waiting for transmission and it receives 
the token from MEDIUM, it transitions to state 2 with get-tk and then takes the Xmit 
transition to state 3, sending the first data block. Since it has one more data block to send, 
the next transition will be moreD, which will take it back to state 2. At this point the system 
state analysis will stop and the reachability analysis will be incomplete. 
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The problem can be solved by splitting the system state analysis into three parts. 
First, the protocol can be analyzed with no messages in the machines and the behavior of 
the machines including only the transitions of the token can be observed (transitions get-tk 
and pass). Then, the analysis can be performed with one message in the outbuf local 
variables of the machines, which allows us to analyze the transitions for receiving/ 
transmitting the messages in addition to the transitions including the token (get-tk , Xmit , 
rev, ready, pass-tk). Finally, the protocol can be analyzed with each machine having more 
than one message, which includes the last transition in the analysis (moreD). Combining 
the results of these parts shows that the protocol is free from deadlocks and there are no 
unexecuted transitions. 

The definitions packages and the analysis results are given separately for each of 
the three cases outlined above in Appendix C. The system state analysis generated 16, 40 
and 5 system states respectively for the parts explained above. The global analysis has 
generated 263 global states and there were no deadlocks or unexecuted transitions. The 
global reachability analysis is also given in Appendix C. 

The system state analysis has reduced the number of states from 263 (global) to 
61 (for all three parts). This is another example showing the advantage of the system state 
analysis. 
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VI. CONCLUSIONS AND FURTHER RESEARCH POSSIBILITIES 



In this thesis, a software tool has been described which automates the analysis of 
protocols specified by the SCM and CFSM models. The program generates either the 
system state analysis or global reachability analysis for the SCM model. The program also 
generates the full reachability graph for a protocol specified by the CFSM model. 

The major achievement of the thesis was the increase in the number of machines in the 
protocol specification. The previous work in [Ref. 8] was extended to allow two to eight 
machines in the specification. The run time and memory efficiency of the program were 
improved to allow the analysis of larger and more complex protocols. The user interface of 
the program has also been improved. 

The system state analysis reduces the size of the state space greatly, but in some cases, 
when the system state analysis is not sufficient for the protocol analysis, the global 
reachability analysis is required. The Smart Mushroom program generates the system state 
graph. The Simple and Big Mushroom programs are based on exhaustive analysis, and 
generate the full global reachability graph. The main problem in these programs is the 
“state space explosion.” As stated in [Ref. 16], an estimate for the maximum size of the 

state space that can be reached for a full reachability analysis is about 10 5 states. This is in 
agreement with the maximum number of states generated so far using the Big Mushroom 

program (153565 = 1 .53 x 10 5 states were generated for the example protocol described in 
Chapter V). 

The size of the state space which can be generated is directly proportional with the 
memory available on the computer. For a full reachability graph, an equation can be derived 
for determining the maximum number of states: where. 
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M: Memory available on the computer (bytes). 

S: Amount of memory for storing one system state (bytes). 

O: Overhead (memory for storing the program and other data structures etc.). 

Then, the number of states that can be analyzed is: N = (M-0)/S. Usually O « M, and 
O can be ignored. For instance, for the LAP-B protocol analysis described in Chapter V, 
M=80 MBytes, S = 516 bytes, and N = 162596. In this analysis, only 153565 states were 
generated by the Simple Mushroom program. The difference between these numbers is due 
to the exclusion of the overhead in the calculation. Unfortunately memory was not enough 
for a 100% coverage in this analysis. 

In spite of the state space explosion, the programs developed in this thesis are still very 
helpful for analyzing protocols. A full reachability analysis may be feasible by keeping the 
protocol specifications as simple as possible, and using certain assumptions about the 
behavior of the protocol to reduce the size of the state space. For example, the size of the 
message queue is very important for the CFSM model. A smaller message queue decreases 
S and allows to analyze larger protocols. A specification with less number of processes 
increases the number of states that can be analyzed. Modeling the machines with less 
number of states is also helpful. For the SCM model, N can be increased by keeping the 
size of global and local variables as small as possible. A simpler protocol specification also 
reduces the run time. 

But, in some cases, even after some simplifications, a full reachability analysis is 
impossible. Fortunately, still some solutions exist for the automated protocol analysis. One 
method which is described in [Ref. 16] is using th c supertrace algorithm. In the Mushroom 
program, hashing is used to increase the search efficiency. In the supertrace algorithm a 
very large hash size (almost the whole available memory) is used, and system states are not 
stored. This method is explained in [Ref. 16]. For example, with a 10 MB of memory, 80 
million states can be generated using this method as described in [Ref. 16]. Of course this 
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efficiency does not come free. Due to hash conflicts, this method cannot guarantee 100% 
coverage, but as a partial search technique, this algorithm is very powerful. 

This thesis opens several areas for further work. One improvement would be to 
increase the size of the system space that can be analyzed. Adding the supertrace option to 
the Mushroom program can be a good area for further work. 

The number of reachable states is usually very large and it would be awkward to print 
out or browse through the listing. Another improvement would be to store the reachability 
analysis results in the form of a database, and provide a query language that allows the user 
to easily analyze the results of the analysis as suggested in [Ref. 17] (for instance, querying 
the error sequences and certain paths between any two states etc.). 

Finally, another research possibility would be to add a simulator module to the 
Mushroom. For protocols with a large size of state space, where full reachability analysis 
is infeasible, simulation would be useful. 

The Ada programming language was used to develop Mushroom. Also, specification 
of the SCM model must be entered to the program using Ada subprograms and packages. 
Ada is a well-structured programming language, and supports the modular development of 
programs. Also, exception handling, generic units, and tasking are important features of 
Ada. These features were helpful in developing the program. The well-structured property 
of the programming language makes the input of the specification easier. The tasking 
mechanism of Ada would be very helpful to develop a simulator module for the program. 

The Simple Mushroom program is used as a teaching aid in an introductory 
communications network course at Naval Postgraduate School. This can be another area 
where student can use the tool as an aid in learning the protocol design and analysis. 

The mushroom program is a tool which it is hoped that it will greatly improve the 
design and analysis of protocols specified by the SCM and CFSM models. Especially, this 
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program may help to solve some questions concerning the SCM model which have not been 
completely answered. 
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APPENDIX A (LAP-B Protocol Information Transfer Phase) 
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REACHABILITY GRAPH 



1 [ 1,E,E,E,E,E, 1,E,E,E,E,E, l,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 

•DO 3 (2,E,DO,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E,1,E,E,E,E,E] 2 

•DO 4 [ 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, l,E,E,E,E,E,2,E,E,E,DO,E,l,E,E,E,E,E) 3 

2 1 2,E,DO,E,E,E, I,E,E,E,E,E, I,E,E,E,E,E,I,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 

•D1 3 [3 > E,DODl,E,E,E,l,E,E,E,E,E,l,E,E,E,E,E,l,E,E,E,E,E,l,E,E,E,E,E,l,E,E,E,E,E] 

+DO 1 |2,E,E,E,E,E,1,E,E,E,E,E,2,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E] 

•DO 4 ( 2,E,DO,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,E,DO,E, 1,E,E,E,E,E) 

3 [ 1,E,E,E,E,E, I,E,E,E,E,E, 1,E,E,E,E,E, l,E,E,E ) E,E,2,E,E,E > DO,E, 1,E,E,E,E,E] 

-DO 3 [2,E,DO,E,E,E,l,E,E,E,E,E, 1,E,E,E,E,E, I,E,E,E,E,E,2,E,E,E,DO,E, I,E,E,E,E,E] 

+DO 5 1 1,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E,2,E,E,E,E,E,2,E,E,E,E,E,1,E,E,E,E,E1 
-D1 4 [ 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, l,E,E,E,E,E,3,E,E,E,DODl ,E,1,E,E,E,E,E] 



4 [ 3,E,DO D1 ,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E) 

+DO I ( 3,E,D1 ,E,E,E, 1,E,E,E,E,E,2,E,E,E,E,E, 1,E,E,E,E,E,I,E,E,E,E,E,I,E,E,E,E,E) 9 

-DO 4 (3.E.DOD1 ,E,E,E, 1,E,E,E,E,E, l,E,E,E,E,E,I,E,E,E,E,E,2,E,E,E,DO,E,l,E,E,E,E,E] 10 

5 1 2,E,E,E,E,E, 1,E,E,E,E,E, 2,E,E,E,E,E, I,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E] 

-DI 3 (3,E,D1 ,E,E,E,I,E,E,E,E,E^,2,E,E,E,E,E^ 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E^E,E,E] 9 

-ENQ 2 1 2,E,E,E,E,E, 1,E,E,E,E,E,8,E,ENQ ,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E, 1,E,E,E,E,E1 11 

-DO 4 1 2,E,E,E,E,E, 1,E,E,E,E,E,2,E,E,E,E,E, l,E,E,E,E,E,2,E,E,E,DO,E, 1,E,E,E,E,E] 12 
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OC <1 O a UUk 



17034[3,E,E,E,E,E,3,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E,3,E,E,E,E,E,3,E,E,E,E,E] 

**********DEADLOCK C0 f»dltk>n ************** 

1 7035 [ 6,E,E,E,E,E, 3,E,E,E,E,E, 30,E,E, 1 1 1 12 1,E,E, 1 ,E,E,E,E,E, 3,E,EJE,EJE; 2,E,E,E,E,E] 
•A1 1 [6,E,E,E,E,E,3,E,E,E,E,E,l t Al,E,IllI21,E,E,l,E,E,E,E,E,3,E,E,E,E,E,2,E,E,E,E,E] 



73391. . . 



SUMMARY OF REACHAB1LTY ANALYSIS (ANALYSIS COMPLETED) 

Total number of states generated : 73391 
Number of states analyzed : 73391 
number of deadlocks : 1 
number of unspecified receptions : 0 
maximum message queue size : 6 
channel overflow : NONE 



UNEXECUTED TRANSITIONS 

••••NONE**** 



17034 
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APPENDIX B (Go back N Window Size of 10) 
FSM Text File 



at art 

nuab*r__ofj*achin*a 2 
aa chin* 1 

atat* 0 

trani and_d*ta 1 

atat* 1 

trana rcr__ack0 0 
trana and_d*ta 2 
atat* 2 “ 

trana rcr_ack0 0 
trana rcr_ackl 1 
trana and__data 3 
atat* 3 “ 

trana rcr__ack0 0 
trana rcrr_ackl 1 
trana rcr_ack2 2 
trana and__data 4 
atat* 4 

trana rcv__ack0 0 
trana rcr_ackl 1 
trana rcr_ack2 2 
trana rcr_ack3 3 
trana and__data 5 
atat* 5 

trana rcr__ack0 0 
trana rcr_ackl 1 
trana rcnr_ack2 2 
trana rcr__ack3 3 
trana rcr_ack4 4 
trana and__data 6 
atat* 6 

trana rcr__ack0 0 
trana rcr_ackl 1 
trana rcrr_ack2 2 
trana rcr_ack3 3 
trana rca_ack4 4 
trana rcr_ack5 5 
trana and__data 7 
atat* 7 

trana rcr_ack0 0 
trana rcr_ackl 1 
trana rcr__ack2 2 
trana rcr_ack3 3 
trana rcr_ack4 4 
trana rcnr_ack5 5 
trana rcr_ack6 6 
trana and__data 8 
atat* 8 

trana rcr__ack0 0 
trana rcr_ackl 1 
trana rcr_ack2 2 
trana rcv__ack3 3 
trana rcr_ack4 4 
trana rcr_ack5 5 
trana rcv_ack6 6 
trana rcv_ack7 7 
trana and_data 9 
atat* 9 

trana rcv_ack0 0 
trana rcv_ackl 1 
trana rcr_ack2 2 
trana rcr_ack3 3 
trana rcr_ack4 4 
trana rcr_ack5 5 
trana rcr_ack6 6 
trana rcv_ack7 7 
trana rcv_ack8 8 
trana and data 10 
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atata 10 



trana 


rcr 


ackO 0 


trana 


rcr 


"ackl 1 


trana 


rer 


"ack2 2 


trana 


rcr] 


>ck3 3 


trana 


rcr* 


ack 4 4 


trana 


rcr_ack5 5 


trana 


rcr_ack 6 6 


trana 


rcr_ack7 7 


trana 


rcr~ack8 8 


trana 


rcrr ack9 9 


■a china 2 


atata 


0 




trana 


rcr 


data 1 


atata 


1 


trana 


rcr 


data 2 


trana 


and ack 0 


atata 


2 


trana 


rer 


data 3 


trana 


and ack 0 


atata 


3 


trana 


rcr 


data 4 


trana 


and ack 0 


atata 


4 




trana 


rcr 


data 5 


trana 


and ack 0 


atata 


5 


trana 


rcr_ 


data 6 


trana 


and 


'ack 0 


atata 


6 




trana 


rcr_ 


data 7 


trana 


and 


ack 0 


atata 


7 




trana 


rcr_ 


data 8 


trana 


and 


ack 0 


atata 


8 




trana 


rcr 


data 9 


trana 


and ack 0 


atata 


9 


trana 


rcr 


data 10 


trana 


and ack 0 


atata 


10 




trana 


and 


ack 0 


initial atata 0 0 


finiah 





Variable Definitions 



with TEXT_IO; ua« TEXT_IO; 
package definitions is 

num_o f _ma chines : constsnt :* 2; 
type scm_transition_type is 

(snd_data, rcv_data, rcv_ackO, rcv_ackl, rcv_ack2, rcv_ack3, rcv_ack4, 

rcv_ack5, rcv_ack6, rcv_ack7, rcv_ack8, rcv_ack9, snd_ack, unused) ; 

type buffer_type is (dO, dl, d2, d3, d4, d5, d6, d7, d8, d9, e) ; 
package buf f_enum_io is new enumeration_io (buffe retype) ; 
use buf f_enum_io; 

type buffer^ array_type is array(1..10) of buffer_type; 
type seq_array_type is array(1..10) of integer range -1..10; 

type machine l_st at e__type is 
record 

Sdata :buf fer_array_type :* (dO, dl,d2, d3, d4, d5, d6, d7, d8, d9) ; 
seq : integer range 0..10 : « 0; 
i : integer range 1..10 :** 1; 

end record; 

type dummy_type is range 1..255; 

type machine2_state_type is 
record 

Rdata :buffer_type ;= e; 
exp :integer range 0..10 := 0; 

j : integer range 1..10 :* 1; 

end record; 

type machine3_etate_type is 
record 

dummy ; dummy — type ; 
end record; 

type machine 4_state_type is 
record 

dummy : dummy_t ype ; 
end record; 



type machine5_state_type is 
record 

dummy : dummy_type ; 
end record; 

type machine 6_state_t ype is 
record 

dummy : dummy_t ype ; 
end record; 

type machine 7_state_t ype is 
record 

dummy : dummy_type ; 
end record; 

type machine8_state_type is 
record 

dummy : dummy _t ype ; 
end record; 

type global_vari ablest ype is 
record 

DATA : buf fer_array_type := (e, e , e, e, e, e, e, e, e, e) ; 

SEQ : seq_array_type := (-1, -1, -1, -1, -1, -1, -1, -1, -1, -1) 

ACK : integer range -1..10 := -1; 
end record; 

end definitions; 
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Predicate-action Table 



aaparata (main) 

procadura Analy*a_Pradic*taa_Kachinal (local : Bachinal_atata_typa; 

GLOBAL: global_wari ablaut ypa; 
a : natural; 

w :in out tranaition_atack_packaga . atack) ia 



taaqpl 


int agar : ■ 


GLOBAL. ACK ♦ 0; 






taaqp2 


intagar :■ 


(GLOBAL. ACK 


♦ 


1) 


mod 


11 


taap3 


int agar : - 


(GLOBAL. ACK 


♦ 


2) 


mod 


11 


taaq>4 


intagar : ■ 


(GLOBAL. ACK 


♦ 


3) 


mod 


11 


taaqp5 


intagar : - 


(GLOBAL. ACK 


♦ 


4) 


Bod 


11 


taaq?6 


intagar 


(GLOBAL. ACK 


♦ 


5) 


BOd 


11 


taap7 


intagar : - 


(GLOBAL. ACK 


♦ 


«) 


BOd 


11 


taaqpS 


intagar : - 


(GLOBAL. ACK 


+ 


7) 


Bod 


11 


taap9 


intagar : - 


(GLOBAL. ACK 


♦ 


•) 


BOd 


11 


taBpl 0 


intagar 


(GLOBAL. ACK 


♦ 


») 


Bod 


11 



bagin 

caaa a ia 

whan 0 ■> 

if ((GLOBAL. DATA (local. i) - E) and (GLOBAL . SEQ (local . i ) - -1) ) than 
Puah (w, and_data) ; 
and if; 
whan 1 ■> 

if ((GLOBAL. DATA (local. i) - E) and (GLOBAL. SEQ (local . i) - -1)) than 
Puah (w, and_data) ; 
and if; 

if ((taBpl - local. aaq) and (GLOBAL. ACK /- -1) ) than 
Puah (w, rcv_ackO) ; 
and if; 
whan 2 ■> 

if ((GLOBAL. DATA (1 oca l.i) - E) and (GLOBAL. SEQ (local . i) - -1)) than 
Puah (w, andjdata) ; 
and if; 

if ( (tanpl - local. aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rcv_ackO) ; 
and if; 

if ( (t«Bp2 - local. aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rcr_ackl) ; 
and if; 
whan 3 ■> 

if ((GLOBAL. DATA (local. i) - E) and (GLOBAL. SEQ (local . i) - -1)) than 
Puah (w, and_data) ; 
and if; 

if ( (taBpl - local. aaq) and (GLOBAL. ACK /- >1)) than 
Puah (w, rcv_ackO) ; 
and if; 

if ( (tamp 2 - local. aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rcr_ackl) ; 
and if; 

if ( (taaxp3 - local. aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rev ack2) ; 
and if; 
whan 4 -> 

if ( (GLOBAL. DATA (local. i) - E) and (GLOBAL. SEQ (local . i) - -1)) than 
Puah (w, and_data) ; 
and if; 

if ( (taBpl - local. aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rcv_ackO) ; 
and if; 

if ( (tamp2 - local, aaq) and (GLOBAL. ACK /- -1)) than 
Puah (w, rcv_ackl) ; 
and if; 
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if ( (taap3 - local. aaq) 
Push (w, rcv_ack2) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (taap4 - local. aaq) 
Puah (w, rev ack3) ; 
and if; 
whan 5 ■> 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((GLOBAL. DAT A (local. 

Puah (w ; and_data) ; 
and if; 


i) - 


E) and (GLOBAL. SEQ (local 


if ( (taaq>l - local, aaq) 
Puah (w, rcr_ackO) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (tasp2 - local. aaq) 
Puah (w, rev ackl) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (taag>3 - local. aaq) 
Puah (w, rcrji ck 2 ) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (taaq>4 - local, aaq) 
Puah (w, rcv_ack3) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (ta*p5 ■ local, aaq) 
Puah (w, rcv_ack4) ; 
and if; 
whan 6 ■> 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ((GLOBAL. DATA (local. 

Puah (w, and_data) ; 
and if; 


i) - 


E) and (GLOBAL. SEQ (local 


if ((tanpl " local. aaq) 
Puah (w, rcvjackO) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tanp2 - local, aaq) 
Puah (w, rcv_ackl) ; 
and if; 


and 


(GLOBAL. ACK /« -1)) 


than 


if ( (taaq>3 - local. aaq) 
Puah(w,rcw ack2) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tanp4 - local. aaq) 
Puah (w, rcv_*ck3) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (t«aq>5 - local. aaq) 
Puah (w, rev ack4) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (tamp 6 - local, aaq) 
Puah (w, rcw_ack5) ; 
and if; 
whan 7 -> 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((GLOBAL. DATA (local. 

Puah (w, and_data) ; 
and if; 


i) - 


E) and (GLOBAL. SEQ (local 


if ((tanpl - local. aaq) 
Puah (w, rcv_ackO) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (taap2 - local. aaq) 
Puah (w, rev ackl); 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 3 m local. aaq) 
Puah (w, rcv_*ck2) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ( (tamp 4 - local. aaq) 
Puah (w, rcv_ack3) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 5 - local. aaq) 
Puah (w, rcv_ack4) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tanp6 ■ local. aaq) 
Puah (w, rev ack5) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 7 m local. aaq) 


and 


(GLOBAL. ACK /- -1)) 


than 



- -1) ) than 



- -1) ) than 



■ -1) ) than 



Push (w, rcv_ack6) ; 
and if; 
whan 8 — > 



if ( (GLOBAL. DAT A (local. i) - E) and (GLOBAL. SEQ (local . i) - -1)) than 
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Push (w, and_data) ; 
and if; 



if ((taopl *■ local. aaq) 
Push (w, rcw_ackO) ; 
and if; 


and 


(GLOBAL. ACK /- -1) ) 


than 


if ((taap2 - local. aaq) 
Push (w, rev ackl) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((taop3 • local. aaq) 
Push (w, rcv_ack2) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (taap4 ■ local. aaq) 
Push (w, rev ack3) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (taap5 - local. aaq) 
Push (w, rcv_ack4) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((taopl - local. aaq) 
Push (w, rcrr_ack5) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if < (taap7 - local. aaq) 
Push (w, rcv_ack€) ; 
and if; 


and 


(GLOBAL. ACK /- >1)) 


than 


if ( (tamp8 - local. aaq) 
Push (w, rcr_ack7) ; 
and if; 

whan 9 -> 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((GLOBAL. DATA (local. 

Push (w, snd_data) ; 
and if; 


1) - 


E) and (GLOBAL. SEQ (local . : 


if ( (taapl - local. aaq) 
Push (w, rcv_ackO) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 2 ■ local. aaq) 
Push (w , rcv_ackl) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 3 ■ local. aaq) 
Push (w, rev ack2) ; 
and if; 


and 


(GLOBAL. ACK /- >1)) 


than 


if ( (taap4 - local. aaq) 
Push (w , rcv_ack3) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((taatp5 • local, aaq) 
Push (w, rev ack4) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (ta*p6 - local. aaq) 
Push (w, rcrr_ack5) ; 
and if; 


and 


(GLOBAL. ACK /- >1)) 


than 


if ( (tamp7 - local. aaq) 
Push (w, rcv_ack6) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 8 - local. aaq) 
Push (w, rev ack7) ; 
and if; 


and 


1 

8 

V. 

1 

l 

M 


than 


if ( (taap9 ■ local. aaq) 
Push (w, rev ack8) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tanplO - local. aaq) and (GLOBAL. ACK /- -1) ] 
Push (w , rcv_ack9) ; 
and if; 

whan 10 -> 


) than 


if ( (tanpl ■ local. aaq) 
Push (w, rcv_ack0) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 2 - local. aaq) 
Push (w, rev ackl); 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp3 ■ local. aaq) 
Push (w, rcr ack2) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ( (tamp 4 - local. aaq) 
Push (w, rev ack3) ; 
and if; 


and 


(GLOBAL. ACK /- -1)) 


than 


if ((taap5 - local. aaq) 


and 


(GLOBAL. ACK /- -1)) 


than 



-1) ) than 
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Fuah (w, rcw_ack4) ; 
and if; 



if ( (tamp€ ■ local. aaq) 
Fuah (w, rcr ack5) ; 
and if; 


and 


(GLOBAL. ACK 


/- -D) 


than 


if ( (tamp 7 m local. aaq) 
Fuah(w,rcr ack€) ; 
and if; 


and 


(GLOBAL. ACK 


/- -D) 


than 


if ((taa^>8 - local, aaq) 
Fuah (w, rcw_ack7) ; 
and if; 


and 


(GLOBAL. ACK 


/- -l» 


than 


if ((tamp 9 - local. aaq) 
Fuah (w, rcw_ack8) ; 


and 


(GLOBAL. ACK 


/- -D> 


than 



and if; 

if ( (tamplO - local . aaq) and (GLOBAL. ACK /- -1)) than 
Fuah (w, rcw_ack9) ; 
and if; 

whan othara ■> 
null ; 

and caaa; 

and Analy sa_F radi cataa_Machinal; 



aaparata (main) 

pro ca dura Ana lysa_Fradicataa_Machina2 (local : machina2_atata_typa ; 

GLOBAL: global_Tariabla_typa; 
a: natural; 

w :in out tranaition__atack_packaga. atack) ia 

bay in 

caaa a ia 

whan 0 -> 

if ( (GLOBAL .DATA (local . j) /■!) and (GLOBAL. SKQ (local .j) - local. arp) ) than 
Fuah (w, rcr_data) ; 
and if; 

whan 1|2|3|4|5|6|7|8|9 -> 

if (GLOBAL. DATA (local. j)-E) than 
Fuah (w, and_ack) ; 
and if; 

if ( (GLOBAL. DATA (local. j)/-K) and (GLOBAL. SEQ (local . j) - local. axp) ) than 
Fuah (w, rcr_data) ; 
and if; 
whan 10 -> 

if (GLOBAL. DATA (local. j)-E) than 
Fuah(w, and_ack) ; 
and if; 

whan othara ■> 
null; 

and caaa; 

and Ana ly xa_F radi cata a_Ma chi na 2 ; 



aaparata (main) 

prooadura Ana ly*a_P radi cat a aJMa chi na3 (local : machina3_atata__typa; 

GLOBAL: global_Tariabla_typa; 
a : natural ; 

w : in out tranaition__atack_packaga.atack) ia 



bagin 

null; 

and Analy aa_F radi cata a_Machina3; 



aaparata (main) 

prooadura Analyxa_Pradicataa_Machina4 (local : machina4_atata_typa; 

GLOBAL: global_variabla_typa; 
a : natural; 

w : in out tranaition_atack_packaga.atack) ia 



bay in 
null; 

and Analy xa_Pradicataa_Machina4 ; 



aaparata (main) 

pro ca dura Ana lysa_Fradicataa_Machina5 (local : machina5_atata_typa; 

GLOBAL: ylobal_wariabla_typa; 
a : natural ; 

w : in out tranaition_atack_packaga . a tack) ia 



bay in 
null; 

and Analy sa_Pradicataa_Machina5 ; 
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aaparata (Bain) 

procadura Analy ia_Pradicataa_Machina6 (local : machina6_atata_typa; 

GLOBAL: global _▼» r i ab 1 a_t ypa ; 

• : natural; 

w : in out tranaition_atack_packaga .stack) ia 



bag in 
null; 

and Analysa_Pradlcataa_Machina6; 



aaparata (main) 

procadura Analysa_Pradicataa_Machina7 (local : machina7_atata_typa ; 

GLOBAL: global_rariabla_typa; 
a : natural; 
w : in out 

tranait ion_atack_packaga . atack) la 

bag in 
null; 

and Analy sa_Pradlcataa_Machina7; 



aaparata (Min) 

procadura Analysa_Pradicataa_Machina8 (local : machirva8_atata_typa ; 

GLOBAL: global_wariabla_typa; 
a : natural; 

w : in out tranaition_atack_packaga.atack) ia 



bag in 
null; 

and Analysa_Pradicataa_Kachina8 ; 



aaparata (main) 

procadura Action (in_ayeta*_atata 
in_t rana it ion 
out_ayataa_atata 



in out Gatata_racord_typa; 
in out aoi_tranait ion_typa ; 
in out Catata_racord_typa) ia 



bag in 

caaa (in_tranaition) ia 
whan and_data -> 

out_ayatam_atata . GLOBAL VARIABLES . DATA (in_ayata»_atata.Bachinal_atata . i ) 
in_ayat«B_atata .Bachina'l_atata. Sdata (in_ayataa_atata .machinal_atata . i) ; 
out_ayataa_atata . GLOBAL_VARIABLES . SEQ (in_ayataa_atata .nachinal_atata . i) : ■ 

in_ayata«a_atata .atchi nal_atata. aaq; 

out_ayat«n_atata.»achinal_atata.i : « (in_ayatan_atata.nachinal_atata . i nod 10) 4 1; 
out_ayatan_atata .machinal_atata .aaq : ■ (( (in_ayataaa_atata.nachinal_atata. aaq) 4 l)aod 11); 

whan rcr_ack0 | rcv_ackl | rcw_ack2 | rcv_ack3 | rcw_ack4 

| rcv_ack5 | rcr_ack6 | rcv_ack7 | rcv_a ck 8 ) r cv_a ck 9 ■> 

out_ayat«a&_atata .GLOBAL_VARIABLES . ACK -1; 

whan and_ack ■> 

out_ay at am_atata . GLOBAL_VARJ ABLES . ACK : ■ in_ayat«m_atata . machina2_atata . axp; 
out_ayat«n_atata.machina2_atata. Rdata :■ a; 

whan rcw_data ■> 

out_ayat«®_atata.»achina2_atata. Rdata 

in_ayatan_atata . GLOBAL_VARIABLES .DATA (in_ayatan_atata.nachina2_atata . j) ; 
out_ayat«n_atata.GLOBAL_VARJABLES.DATA(in_ayat«ai_atata.machina2_atata. j) : - E; 
outlay at aB_atata.GLOBAL_yARIABLES.SEQ (in_ayat«aot_atata .nachina2_atata. j) : « -1; 
out_ayatam_atata.Mchina2_atata. j (in_ayatan_atata.Bachina2_atata. j mod 10) 4 1; 

out ayataaa_atata.Bachina2_atata.axp ( ( (in_ayatam_atata . nachina2_atata .axp) 4 l)nod 11); 
whan othara ■> 

put_lina ("Thara ia an arror in tha Action procadura") ; 

and caaa; 

and Action; 
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Output Format 



aeparate (main) 

procedure out put_Gt up le (tuple : in out Gatate_record_type) ia 
begin 

if print_taeader then 
new_line (2) ; 
aet_col (7) ; 

put_line(" ml (aeq, i, Sdata) , m2 (exp, j , Rdata) , (DATA, SEQ, ACK) " ) ; 
print_header :=* falae; 

elae 

put(" [" i integer ' image (tuple .machine^at ate (1) ) ); 

put ( " , "); 

put (tuple .machine l_at ate . aeq, width => 1); 
put(" , "); 

put (tuple .machine l_atate . i, width *> 1); 
put ( " , "); 

buff_enum_io.put (tuple .machine l_at ate .Sdata (1) , aet *> upper_caae) ; 
put (" , " £ integer ' image (tuple .machine_atate (2) ) ) ; 
put(" , "); 

put (tuple .machine 2_at ate .exp, width => 1) ; 
put ( " , "); 

put (tuple .machine2_at ate . j, width => 1); 
put(" , "); 

buff_enum_io .put (tuple .machine2_at ate .Rdata, aet => upper_caae) ; 
for i in 1..10 loop 
put ( " , " ) ; 

buf f_enum_io . put (tuple . GLOBAL_VARIABLES . DATA ( i) , aet => upper_case) 
put (", ") ; 

put (tuple .GLOBAL_VARIABLES . SEQ (i) , width=>l) ; 
end loop; 
put ( " , " ) ; 

put (tuple . GLOBAL_VARIABLES . ACK, width => 1) ; 
put ( " ] " ) ; 
end if; 

end output_Gtuple; 
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Program Output (System State Analysis) 

REACHABILITY ANALYSIS of :gbn_10.«cm 
SPECIFICATION 



1 


Machine 


> 1 State 


Transitions 


1 


1 


From | 


To 


1 


Transition 


1 


1 


0 I 


1 


1 


snd_data 


1 


1 


1 | 


0 


1 


rcv_ack0 


1 


1 


1 | 


2 


1 


snd_data 


1 


1 


2 | 


0 


1 


rcv_ack0 


1 


1 


2 | 


1 


1 


rcv_ackl 


1 


1 


2 | 


3 


1 


snd_data 


1 


1 


3 | 


0 


1 


rcv_ack0 


1 


1 


3 | 


1 


1 


rcv_ackl 


1 


1 


3 | 


2 


1 


rcv_ack2 


1 


1 


3 | 


4 


1 


snd_data 


1 


1 


4 | 


0 


1 


rcv_ack0 


1 


1 


4 | 


1 


1 


rcv_ackl 


1 


1 


4 | 


2 


1 


rcv_ack2 


1 


1 


4 | 


3 


1 


rcv_ack3 


1 


1 


4 | 


5 


1 


snd_data 


1 


1 


5 | 


0 


1 


rcv_ack0 


1 


1 


5 | 


1 


1 


rcv_ackl 


1 


1 


5 | 


2 


1 


rcv_ack2 


1 


1 


5 | 


3 


1 


rev ack3 


1 


1 


5 | 


4 


1 


rcv_ack4 


1 


1 


5 | 


6 


1 


snd_data 


1 


1 


6 | 


0 


1 


rcv_ack0 


1 


1 


6 | 


1 


1 


rcv_ackl 


1 


1 


6 | 


2 


1 


rcv_ack2 


1 


1 


6 1 


3 


1 


rcv_ack3 


1 


1 


6 | 


4 


1 


rcv_ack4 


1 


1 


6 | 


5 


1 


rcv_ack5 


1 


1 


6 | 


7 


1 


snd data 


1 


1 


7 | 


0 


1 


rcv_ack0 


1 


1 


7 | 


1 


1 


rcv_ackl 


1 


1 


7 | 


2 


1 


rev ack2 


1 


1 


7 | 


3 


1 


rcv_ack3 


1 


1 


7 | 


4 


1 


rcv_ack4 


1 


1 


7 | 


5 


1 


rcv_ack5 


1 


1 


7 | 


6 


1 


rcv_ack6 


1 


1 


7 | 


8 


1 


snd_data 


1 


1 


8 1 


0 


1 


rcv_ack0 


1 


1 


8 1 


1 


1 


rcv_ackl 


1 


1 


8 | 


2 


1 


rcv_ack2 


1 


1 


8 1 


3 


1 


rcv_ack3 


1 


1 


8 1 


4 


1 


rcv_ack4 


1 


1 


8 1 


5 


1 


rcv_ack5 


1 


1 


8 | 


6 


1 


rcv_ack6 


1 


1 


8 1 


7 


1 


rcv_ack7 


1 


1 


8 1 


9 


1 


snd_data 


1 


1 


9 | 


0 


1 


rev ackO 


1 


1 


9 | 


1 


1 


rcv_ackl 


1 


1 


9 | 


2 


1 


rcv_ack2 


1 


1 


9 1 


3 


1 


rev ack3 


1 


1 


9 | 


4 


1 


rcv_ack4 


1 


1 


9 | 


5 


1 


rcv_ack5 


1 


1 


9 1 


6 


1 


rev_ack6 


1 


1 


9 1 


7 


1 


rcv_ack7 


1 


1 


9 1 


8 


1 


rcv_ack8 


1 


1 


9 1 


10 


1 


snd data 


1 


1 


10 | 


0 


1 


rev ackO 


1 


1 


10 | 


1 


1 


rcv__ackl 


1 


1 


10 | 


2 


1 


rcv_ack2 


1 


1 


10 | 


3 


1 


rcv_ack3 


1 


1 


10 | 


4 


1 


rcv__ack4 


1 


1 


10 | 


5 


1 


rcv_ack5 


1 


1 


10 | 


6 


1 


rev ack6 


1 


1 


10 | 


7 


1 


rev ack7 


1 


1 


10 | 


8 


1 


rcv_ack8 


1 


1 


10 | 


9 


1 


rcv__ack9 


1 
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0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 



1 


Mach in* 2 Stata 


Tranaitiona 


1 


1 


From | 


| To 


1 


Transition 


1 


1 


0 


1 


1 


rcv_ data 


1 


1 


1 


2 


1 


rcv_data 


1 


1 


1 


0 


1 


and_ack 


1 


1 


2 


3 


1 


rcv_data 


1 


1 


2 


0 


1 


and_ack 


1 


1 


3 


4 


1 


rcv_data 


1 


1 


3 


0 


1 


andack 


1 


1 


4 


5 


1 


rcv_data 


1 


1 


4 


0 


1 


and_ack 


1 


1 


5 


6 


1 


rcv_data 


1 


1 


5 


0 


1 


and_ack 


1 


1 


6 


7 


1 


rcv_data 


1 


1 


6 


0 


1 


and^ack 


1 


1 


7 


8 


1 


rev^data 


1 


1 


7 


0 


1 


and_ack 


1 


1 


8 


9 


1 


rev^data 


1 


1 


8 


0 


1 


and_a ck 


1 


1 


9 


10 


1 


rev^data 


1 


1 


9 


0 


1 


and^ack 


1 


1 


10 


0 


1 


and_ack 


1 



0 , 
1 , 

2 , 

1 , 

3, 
2 , 
1, 

4 , 

3, 
2 , 
2 , 

5, 

4, 
3, 
2 , 

3 , 

2 , 

6 , 

5, 

4 , 



REACHABILITY GRAPH 
0 ] 0 and_data 1 

0 ] 0 and_data 2 

rcv_data 3 

0 ] 0 and_data 4 

rcv__data 5 

1 ] 0 and_data 5 

and_ack 6 

0 ] 0 and_data 7 

rcv_data 8 

1 ] 0 and_data 8 

rcv_data 9 
0 ] 1 rcv_ack0 0 

and_dat a 10 

0 ] 0 and_data 11 

rcv_data 12 

1 ] 0 and_data 12 

rcv_data 13 

2 ] 0 and_data 13 

and_ack 14 
0 ] 1 rcv_ackl 1 

and_data 15 
rcv_data 16 

0 ] 0 and_data 17 

rcv_data 18 

1 ] 0 and_data 18 

rcv_data 19 

2 ] 0 and_data 19 

rcv_data 20 
0 ] 2 rcv_ack0 0 

and data 21 

0 ] 1 rcv_ack2 2 

•nd_data 22 
rcv_data 23 

1 ] 1 rcv_ackl 3 

•nd_data 23 
and_ack 14 

0 ] 0 and_data 24 

rcv_data 25 

1 ] 0 and_data 25 

rcv_data 26 

2 ] 0 and_data 26 

rev data 27 
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20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 

45 

46 

47 

48 

49 



3 



, 3 ] 0 

3, 0 ] 2 

4, 0 ] 1 
3, 1 



1 , 0 
6 , 1 
5 , 2 
4 , 3 

3 , 0 

4 , 0 

3 , 1 

5 , 0 

4 , 1 

3 , 2 

8 , 0 

7 , 1 

6 , 2 

5 , 3 

4 , 4 

4 , 0 

5 , 0 

4 , 1 

6 , 0 

5 , 1 

4 , 2 

9 , 0 

8 , 1 
7 , 2 

6 , 3 

5 , 4 



and_data 27 
and_ack 28 
rcv_ackl 1 
and_data 29 
rcv_data 30 
rcv_ack3 4 
and_data 31 
rcv_data 32 
rcv_aclt2 5 

and data 32 

rcv_data 33 
and_data 34 
rcv~data 35 
and_data 35 
rcv_data 36 
and_data 36 
rcv_data 37 
and_data 37 
rcv_data 38 
rcv_ack0 0 
and_data 39 
rcv_ack2 2 

and data 40 

rcv_data 41 
rcv_ackl 3 
and_data 41 
■nd_*c)c 28 
rcv_ack4 7 
and_dat a 42 
rcv_data 43 
rcv_ac)t3 8 
*nd_data 43 
rcv_ [data 44 
rcv_aclt2 9 
and_data 44 
and_ac)c 28 
and_data 45 
rcv_data 46 
and__data 46 
rcv_data 47 
and_data 47 
rcv__data 48 
and_data 48 
rcv_data 49 
and_data 49 
and_ack 50 
rcv^acJtl 1 
and_data 51 
rcv_data 52 
rcv_ac)t3 4 
and_data 53 
rcv_data 54 
rcv_ac)t2 5 
and_data 54 
rcv_data 55 
rcv_ac)t5 11 
and_data 56 
rcv_data 57 
rcv_ac)c4 12 
and_data 57 
rcv_data 58 
rcv_ac)c3 13 
and_data 58 
rcv_data 59 
and_data 60 
rcv_data 61 
and_data 61 
rcv_data 62 
and_data 62 
rcv_data 63 
and_data 63 
rcv_data 64 
and data 64 



50 

51 

52 

53 

54 

55 

56 

57 

58 

59 

60 

61 

62 

63 

64 

65 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 



4, 0 ] 4 

5, 0 ] 3 

4, 1 ] 3 

6 , 0 ] 2 

5 , 1 ] 2 

4 , 2 ] 2 
7, 0 ] 1 

6 , 1 ] 1 

5, 2 ] 1 

4, 3 ] 1 

10, 0 ] 3 
9, 1 ] 1 

8 / 2 ] 0 

7, 3 ] 0 

6, 4 ] 0 

5, 5 ] 0 

5, 0 ] 4 

6, 0 ] 3 

5, 1 ] 3 

7, 0 ] 2 

6 , 1 ] 2 

5, 2 ] 2 

8 , 0 ] 2 
7, 1 ] 1 

6 , 2 ] 1 

5, 3 ] 1 

10 , 1 ] 2 
9, 2 ] 0 



rcv_data 65 
rcv_ackO 0 
and_data 66 
rcv_ack2 2 
and_data 67 
rcv_data 68 
rcv_ackl 3 
•nd_data 68 
and_ack 50 
rcv_ack4 7 
•nd_data 69 
rcv_data 70 
rcv_ack3 8 
•nd_data 70 
rcv_data 71 
rcv_ack2 9 
and_data 71 
and_ack 50 
rcv_ack6 17 
and_data 72 
rcv~data 73 
rcv_ack5 18 
and_data 73 
rcv_data 74 
rcv_ack4 19 
and_data 74 
rcv_data 75 
rcv_ack3 20 
and_data 75 
and_ack 50 
rcv_data 76 
and_data 76 
rcv_data 77 
and__data 77 
rcv_data 78 
and_data 78 
rcv_data 79 
and_data 79 
rcv_data 80 
and_data 80 
and_ack 81 
rcv_ackl 1 
and_data 82 
rcv_data 83 
rcv_ack3 4 
and_data 84 
rcv_data 85 
rcv_ack2 5 
and_data 85 
rcv_data 86 
rcv_ack5 11 
and__data 87 
rcv_data 88 
rcv_ack4 12 
and_data 88 
rcv_data 89 
rcv_ack3 13 
and_data 89 
rcv_data 90 
rcv_ack7 24 
•nd_data 91 
rcv_data 92 
rcv_ack6 25 
and_data 92 
rcv_data 93 
rcv_ack5 26 
and__data 93 
rcv_data 94 
rcv_ack4 27 
and_data 94 
rcv_data 95 
rcv_data 96 
and data 96 
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78 

79 

80 

81 

82 

83 

84 

85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

96 

97 

98 

99 

100 

101 

102 

103 

104 

105 



8, 3 ] 0 
7 , 4 ] 0 
6, 5 ) 0 

5, 0 ] 5 

6, 0 ] 4 

5, 1 ] 4 

7, 0 ] 3 

6, 1 ] 3 

5, 2 ] 3 

8, 0 ] 3 

7, 1 ] 2 

6 , 2 ] 2 

5, 3 ] 2 

9, 0 ] 3 

8 , 1 ] 1 

7, 2 ] 1 

6, 3 ] 1 

5, 4 ] 1 

10 , 2 ] 1 
9, 3 ] 0 

8, 4 ] 0 

7, 5 ] 0 

6 , 6 ] 0 

6, 0 ] 5 

7, 0 ] 4 

6, 1 ] 4 

8, 0 ] 4 

7, 1 ] 3 



rcv_data 97 
and_data 97 
rcv_data 98 
and_data 98 
rcv_data 99 
and_data 99 
rcv_data 100 
rcv_ack0 0 
and_data 101 
rcv_ack2 2 
and_dat a 102 
rcv_data 103 
rcv_ackl 3 
*nd_dat a 103 
and_ack 81 
rcv_ack4 7 
and_data 104 
rcv_data 105 
rcv_ack3 8 
and_data 105 
rcv_data 106 
rcv_ack2 9 
and_data 106 
and_ack 81 
rcv_ack6 17 
and_data 107 
rcv_data 108 
rcv_ack5 18 
and_data 108 
rcv_data 109 
rcv_ack4 19 
and_data 109 
rcv_data 110 
rcv_ack3 20 
and_data 110 
and__ack 81 
rcv_ack8 34 
•nd__data 111 
rcv_data 112 
rcv_ack7 35 
and_data 112 
rcv_data 113 
rcv_ack6 36 
and_data 113 
rcv_data 114 
rcv_ack5 37 
and_data 114 
rcv_data 115 
rcv_ack4 38 
and_data 115 
and_ack 81 
rcv_data 116 
and_data 116 
rcv_data 117 
«nd_data 117 
rcv_data 118 
and_data 118 
rcv_data 119 
and_data 119 
and_ack 120 
rcv_ackl 1 
snd_data 121 
rcv_data 122 
rcv_ack3 4 
and_data 123 
rcv_data 124 
rcv_ack2 5 
and_data 124 
rcv_data 125 
rcv_ack5 11 
and_data 126 
rcv_data 127 
rev ack4 12 
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106 

107 

108 

109 

110 

111 

112 

113 

114 

115 

116 

117 

118 

119 

120 

121 

122 

123 

124 

125 

126 

127 

128 

129 

130 

131 

132 



6 



* 2 ] 3 
9, 0 ] 4 
8 , 1 ] 2 

7, 2 ] 2 

6, 3 ] 2 
10, 0 ] 4 

9 , 1 1 2 

8 , 2 ] 1 

7, 3 ] 1 

6, 4 ] 1 

10, 3 ] 0 
9, 4 ] 0 

8, 5 ] 0 

7, 6 ] 0 
6 , 0 ] 6 

7, 0 ] 5 

6, 1 ] 5 

8, 0 ] 5 

7, 1 ] 4 

6, 2 ] 4 

9, 0 ] 5 

8, 1 ] 3 

7, 2 ] 3 
6, 3 ] 3 

10, 0 ] 5 

9, 1 ] 3 

8 , 2 ] 2 



and_data 127 
rcv_data 128 
rcv_ack3 13 
and_data 128 
rcv_data 129 
rcv_ack7 24 
and_data 130 
rcv_data 131 
rcv_ack6 25 
and_data 131 
rcv_data 132 
rcv~ack5 26 
and_data 132 
rcv_data 133 
rcv_ack4 27 
snd_data 133 
rcv_data 134 
rcv_ack9 45 
rcv_data 135 
rcv_ack8 4 6 
and_data 135 
rcv_data 136 
rcv_ack7 47 
and_data 136 
rcv_data 137 
rcv_ack6 48 
and_data 137 
rcv_data 138 
rcv_ack5 4 9 
•nd_data 138 
rcv_data 139 
rcv_data 140 
and_data 140 
rcv_data 141 
and_data 141 
rcv_data 142 
snd__data 142 
rcv_^data 143 
rcv_ack0 0 
and_data 144 
rcv_ack2 2 
snd_data 145 
rcv_data 146 
rcv_ackl 3 
*nd_data 146 
and_ack 120 
rcv_ack4 7 
and_data 147 
rcv_data 148 
rcv_ack3 8 
•nd_data 148 
rcv_data 149 
rcv_ack2 9 
snd_data 149 
and_ack 120 
rcv_ack6 17 
snd_data 150 
rcv_data 151 
rcv_ack5 18 
snd_data 151 
rcv_data 152 
rcv_ack4 19 
snd_data 152 
rcv_data 153 
rcv_ack3 20 
and_data 153 
and_ack 120 
rcv_ack8 34 
rcv_data 154 
rcv_ack7 35 
and^data 154 
rcv_data 155 
rev ack6 36 
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133 

134 

135 

136 

137 

138 

139 

140 

141 

142 

143 

144 

145 

146 

147 

148 

149 

150 

151 

152 

153 

154 

155 

156 

157 

158 

159 



t 7, 3 ] 2 

[ 6, 4 ] 2 

[10, 1 ] 3 
9, 2 ] 1 

8, 3 ] 1 

7, 4 ] 1 

6, 5 ] 1 

10, 4 ] 0 

9, 5 ] 0 

8 , 6 ] 0 

7, 7 ] 0 

7, 0 ] 6 

8 , 0 ] 6 

7, 1 ] 5 
9, 0 ] 6 

8, 1 ] 4 

7, 2 ] 4 

10 , 0 ] 6 

9, 1 ] 4 

8, 2 ] 3 

7, 3 ] 3 

10, 1 ] 4 

9, 2 ] 2 

8, 3 ] 2 
7, 4 ] 2 

10 , 2 ] 2 

9, 3 ] 1 



and_data 155 
rcv_data 156 
rcv_ack5 37 
and_data 156 
rcv_data 157 
rcv_ack4 38 
and_data 157 
and_ack 120 
rcv_ack9 61 
rcv_data 158 
rcv_ ack8 62 
and_data 158 
rcv_data 159 
rcv_ack7 63 
and_data 159 
rcv_data 160 
rcv_ack6 64 
and_data 160 
rcv_data 161 
rcv_ack5 65 
and_data 161 
and_ack 120 
rcv_data 162 
and_data 162 
rcv_data 163 
and_data 163 
rcv_data 164 
and_data 164 
and_ac)c 1 65 
rcv_ackl 1 
and_data 166 
rcv_data 167 
rcv_ack3 4 
and_data 168 
rcv_data 169 
rcv_ack2 5 
and_data 169 
rcv_data 170 
rcv_ack5 11 
and_data 171 
rcv_data 172 
rcv_ack4 12 
and_data 172 
rcv_data 173 
rcv_ack3 13 
and_data 173 
rcv_data 174 
rcv_ack7 24 
rcv_data 175 
rcv_ack6 25 
snd_data 175 
rcv_data 176 
rcv_ack5 2 6 
and_data 176 
rcv_data 177 
rcv_ack4 27 
and_data 177 
rcv_data 178 
rcv_ack8 46 
rev^data 179 
rcv_ack7 47 
and_data 179 
rcv_data 180 
rcv_ack6 48 
and_data 180 
rcv_data 181 
rcv_ack5 49 
and_data 181 
rcv_data 182 
rcv_ack9 77 
rcv_data 183 
rcv_ack8 78 
and data 183 
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160 

161 

162 

163 

164 

165 

166 

167 

168 

169 

170 

171 

172 

173 

174 

175 

176 

177 

178 

179 

180 

181 

182 

183 

184 

185 

186 



8 



, 4 ] 1 

7, 5 ] 1 

10, 5 ] 0 
9, 6 ] 0 

8, 7 ] 0 

7, 0 ] 7 

8, 0 ] 7 

7, 1 ] 6 

9, 0 ] 7 

8, 1 ] 5 

7, 2 ] 5 

10, 0 ] 7 

9, 1 ] 5 

8, 2 ] 4 

7, 3 ] 4 

10, 1 ] 5 

9, 2 ] 3 

8, 3 ] 3 

7, 4 ] 3 

10, 2 ] 3 

9, 3 ] 2 

8, 4 ] 2 

7, 5 ] 2 

10, 3 ] 1 

9, 4 ] 1 

8, 5 ] 1 
7, 6 ] 1 



rcv_data 184 
rcv_ack7 79 
and__data 184 
rcv_data 185 
rcv_ack6 80 
and__data 185 
rcv__data 186 
rcv_data 187 
and__data 187 
rcv_data 188 
and__data 188 
rcv_data 189 
rcv_ack0 0 
and_data 190 
rcv_ack2 2 
and__data 191 
rcv_data 192 
rcv_ackl 3 
and_data 192 
and_ack 1 65 
rcv_ack4 7 
•nd_data 193 
rcv__data 194 
rcv_ack3 8 
and_data 194 
rcv__data 195 
rcv_ack2 9 
and__data 195 
and_ack 165 
rcv_ack6 17 
rcv_data 196 
rcv_ack5 18 
and__data 196 
rcv_data 197 
rcv_ack4 19 
•nd_data 197 
rcv_data 198 
rcv_ack3 20 
and__data 198 
and_ack 165 
rcv_ack7 3 5 
rcv_data 199 
rcv__ack6 3 6 
and_data 199 
rcv_data 200 
rcv_ack5 37 
and_data 200 
rcv_data 201 
rcv_ack4 38 
and__data 201 
and__ack 1 65 
rcv_ack8 62 
rcv_data 202 
rcv_ack7 63 
and__data 202 
rcv_data 203 
rcv_ack6 64 
and_data 203 
rcv_data 204 
rcv_ack5 65 
and__data 204 
and_ack 165 
rcv_ack9 97 
rcv_data 205 
rcv_ack8 98 
and_data 205 
rcv_data 206 
rcv_ack7 99 
and_data 206 
rcv__data 207 
rcv_ack6 100 
and_data 207 
and ack 165 
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187 

188 

189 

190 

191 

192 

193 

194 

195 

196 

197 

198 

199 

200 

201 

202 

203 

204 

205 

206 

207 

208 

209 

210 
211 

212 

213 

214 

215 



10 , 6 ] 0 
9, 7 ] 0 

8 , 8 ] 0 

8 , 0 ] 8 

9, 0 ] 8 

8 , 1 ] 6 

10 , 0 ] 8 
9, 1 ] 6 

8, 2 ] 5 

10 , 1 ] 6 

9, 2 ] 4 

8, 3 ] 4 

10, 2 ] 4 

9, 3 ] 3 

8, 4 ] 3 

10, 3 ] 2 

9, 4 ] 2 

8, 5 ] 2 

10, 4 ] 1 

9, 5 ] 1 

8 , 6 ] 1 

10, 7 ] 0 
9, 8 ] 0 

8, 0 ] 9 

9, 0 ] 9 

8, 1 ] 7 

10, 0 ] 9 

9, 1 ] 7 

8 , 2 ] 6 



rcv_data 208 
and__data 208 
rcv_data 209 
snd_data 209 
*nd_iclt 210 
rcv_ackl 1 
and_data 211 
rcv_data 212 
rcv_ack3 4 
and_data 213 
rcv~data 214 
rcv_ack2 5 
and_data 214 
rcv_data 225 
rcv_ack5 11 
rcv_data 216 
rcv_ack4 12 
and_data 216 
rcv_data 217 
rcv_ack3 13 
and_data 217 
rcv_data 218 
rcv_ack6 25 
rcvjiata 219 
rcv__ack5 26 
and_data 219 
rcv_data 220 
rcv_ack4 27 
•nd_data 220 
rcv_data 221 
rcv_ack7 47 
rcv_data 222 
rcv_ack6 48 
•nd_data 222 
rcv_data 223 
rcv_ack5 4 9 
and_data 223 
rcv_data 224 
rcv_ack8 78 
r c v_dat a 225 
rcv_ack7 7 9 
•nd__data 225 
rcv_data 226 
rcv_ack6 80 
and_data 226 
rcv_data 227 
rcv_ack9 117 
rcv_data 228 
rcv_ack8 118 
and_data 228 
rcv_data 229 
rcv_ack7 119 
and_data 229 
rcv_data 230 
rcv_data 231 
«nd_data 231 
rcv_data 232 
rcv_ack0 0 
«nd_data 233 
rcv_ack2 2 
and_data 234 
rcv_data 235 
rcv_ackl 3 
end_data 235 
and_ack 210 
rcv_ack4 7 
rcv_data 236 
rcv_ack3 8 
•nd_data 236 
rcv_data 237 
rcv_ack2 9 
and_data 237 
and ack 210 
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[10, 


1 


] 


7 


rcv_Ack5 


18 












rcv_dAt a 


238 


217 


[ 9, 


2 


] 


5 


rev Ack4 


19 












*nd_d*t* 


238 












rcv_dAtA 


239 


218 


I 8 , 


3 


] 


5 


rev_ACk3 


20 












«nd_dAt a 


239 












and_ack 


210 


219 


[10, 


2 


] 


5 


rcv_ack6 


36 












rcv_dAt a 


240 


220 


[ 9, 


3 


] 


4 


rcv_ack5 


37 












and_data 


240 












rcv__dAt a 


241 


221 


[ 8, 


4 


] 


4 


rcv_ack4 


38 












snd_dAtA 


241 












and_ack 


210 


222 


[10, 


3 


] 


3 


rcv_ACk7 


63 












rcv_data 


242 


223 


[ 9, 


4 


] 


3 


rcv_ack6 


64 












and_datA 


242 












rcv_data 


243 


224 


[ 8, 


5 


1 


3 


rcv_AckS 


65 












end dA t a 


243 












and_ack 


210 


225 


[10, 


4 


] 


2 


rcv_ack8 


98 












rcv_dAtA 


244 


226 


[ 9, 


5 


] 


2 


rcv_ack7 


99 












*nd_dAtA 


244 












rcv_dAtA 


245 


227 


[ 8 , 


6 


] 


2 


rcv_Ack6 


100 












•nd__dAt a 


245 












and Ack 


210 


228 


[10, 


5 


] 


1 


rcv_ack9 


141 












rcv_datA 


246 


229 


[ 9, 


6 


] 


1 


rcv_ack8 


142 












and__dAtA 


246 












rcv__dAtA 


247 


230 


[ 8, 


7 


] 


1 


rev Ack7 


143 












and_dAt a 


247 












and_Ack 


210 


231 


[10, 


8 


] 


0 


rev^dAtA 


248 


232 


[ 9, 


9 


] 


0 


and_dAt a 


248 












*nd_Ack 


249 


233 


[ 9, 


0 


] 


10 


rcv_Ackl 


1 












and_dAtA 


250 












rcv_dAt a 


251 


234 


[10, 


0 


] 


10 


rcv_Ack3 


4 












rcv__dAtA 


252 


235 


[ 9, 


1 


] 


8 


rcv_Ack2 


5 












and dAt a 


252 












rev^dAtA 


253 


236 


[10, 


1 


] 


8 


rcv_Ack4 


12 












rcv_dAtA 


254 


237 


[ 9, 


2 


] 


6 


rcv_Ack3 


13 












and dAtA 


254 












rev^dAtA 


255 


238 


[10, 


2 


] 


6 


rcv_Ack5 


26 












rcv_dAtA 


256 


239 


[ 9, 


3 


] 


5 


rcv_Ack4 


27 












«nd_data 


256 












rcv__dAtA 


257 


240 


[10, 


3 


] 


4 


rev Ack6 


48 












rev^dAt a 


258 


241 


[ 9, 


4 


] 


4 


rcv_Ack5 


49 












and_dAtA 


258 












rcv_dAtA 


259 


242 


[10, 


4 


] 


3 


rev Ack7 


79 












rcv_dAtA 


2 60 


243 


[ 9 , 


5 


] 


3 


rcv__Ack 6 


80 












and__dAtA 


260 












rev dAtA 


261 


244 


[10, 


5 


] 


2 


rcv__Ack8 


118 












rev dAtA 


262 



98 



245 


[ 9, 


6 


] 


2 


rcv_ack7 


119 












and_data 


262 












rcv_data 


263 


246 


[10, 


6 


] 


1 


rcv_ack9 


163 












rcv_data 


264 


247 


[ 9, 


7 


] 


1 


rcv_ack8 


164 












and_data 


2 64 












rcv_data 


265 


248 


[10, 


9 


] 


0 


rcv_data 


266 


249 


[ 9, 


0 


] 11 


rcv_ack0 


0 












and_data 


267 


250 


[10, 


0 


]H 


rcv_ack2 


2 












r c v_dat a 


268 


251 


[ 9, 


1 


] 


9 


rcv_ackl 


3 












and_data 


268 












and_ack 


249 


252 


[10, 


1 


3 


9 


rcv_ack3 


8 












rcv_data 


269 


253 


[ 9, 


2 


] 


7 


rcv_ack2 


9 












m nd_dat a 


269 












and_ack 


249 


254 


[10, 


2 


3 


7 


rcv_ack4 


19 












rcv_data 


270 


255 


[ 9, 


3 


3 


6 


rcv_ack3 


20 












and_data 


270 












and_ack 


249 


256 


[10, 


3 


3 


5 


rcv_ack5 


37 












rcv_data 


271 


257 


[ 9, 


4 


3 


5 


rcv_ack4 


38 












and data 


271 












and_ack 


249 


258 


[10, 


4 


3 


4 


rcv_ack6 


64 












rcv_data 


272 


259 


[ 9, 


5 


3 


4 


rcv_ack5 


65 












and_data 


272 












and_ack 


249 


260 


[10, 


5 


3 


3 


rcv_ack7 


99 












rcv^data 


273 


261 


[ 9, 


6 


3 


3 


rcv_ack6 


100 












and__data 


273 












snd^ack 


249 


262 


[10, 


6 


3 


2 


rcv_ack8 


142 












rcv_data 


274 


2 63 


[ 9, 


7 


3 


2 


rcv_ack7 


143 












ind^data 


274 












and_ack 


249 


264 


[10, 


7 


3 


1 


rcv_ack9 


188 












rcv_data 


275 


265 


[ 9, 


8 


3 


1 


rcv_ack8 


189 












snd_d*ta 


275 












and_ack 


249 


266 


[10, 


10 


3 


0 


and_ack 


276 


267 


[10, 


0 


312 


rcv_ackl 


1 












rcv__data 


277 


268 


[10, 


1 


3io 


rcv_ack2 


5 












rcv_data 


278 


269 


[10, 


2 


3 


8 


rcv_ack3 


13 












rcv^data 


279 


270 


[10, 


3 


3 


6 


rcv_ack4 


27 












rcv_data 


280 


271 


[10, 


4 


3 


5 


rcv_ack5 


49 












rcv_data 


281 


272 


[10, 


5 


3 


4 


rev ack6 


80 












rcv_data 


282 


273 


[10, 


6 


3 


3 


rcv_ack7 


119 












rcv_data 


283 


274 


[10, 


7 


3 


2 


rcv_ack8 


164 












rcv_data 


284 


275 


[10, 


8 


3 


1 


rcv_ack9 


209 












rev data 


285 


276 


[10, 


0 


313 


rcv_ack0 


0 


277 


[10, 


1 


]H 


rcv_ackl 


3 












and ack 


276 



99 



278 


110 , 


2 


] 


9 


rcv_ack2 

and_ack 


9 

276 


279 


[ 10 , 


3 


] 


7 


rcv_ack3 

snd__ack 


20 

276 


280 


[ 10 , 


4 


] 


6 


rcv_ack4 

snd_ack 


38 

276 


281 


(10, 


5 


] 


5 


rcv_ack5 

snd_ack 


65 

276 


282 


(10, 


6 


) 


4 


rcv_ack6 

snd_ack 


100 

276 


283 


[10, 


7 


] 


3 


rcv_ack7 

snd_ack 


143 

276 


284 


( 10 , 


8 


] 


2 


rcv_ack8 

snd_ack 


189 

276 


285 


[10, 


9 


) 


1 


rcy_ack9 
snd ack 


232 

276 



SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Number of states generated :286 
Number of states analyzed :286 
Number of deadlocks : 0 



UNEXECUTED TRANSITIONS 
*****flONE***** 
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APPENDIX C ( Token Bus Protocol ) 



FSM Text File 



Start 

numbs r_of_ma chines 8 
machine 1 

•tats 0 

trans rcvl 1 
trans get_tkl 2 

stats 1 

trans ready 1 0 

stats 2 

trans Xmltl 3 
trans passl 0 

stats 3 

trans morsDl 2 
trans pass_tkl 0 
machine 2 " 

stats 0 

trans rcv2 X 
trans get_tk2 2 

stats 1 

trans ready2 0 

stats 2 

trans Xmit2 3 
trans pass2 0 
stats 3 

trans morsD2 2 
trans pass_tk2 0 
machine 3 

stats 0 

trans rcv3 1 
trans get_tk3 2 

stats 1 

trans ready 3 0 

stats 2 

trans Xmit3 3 
trans pass3 0 

stats 3 

trans morsD3 2 
trans pass_tk3 0 
machine 4 

stats 0 

trans rcv4 1 
trans get_tk4 2 

stats 1 

trans ready 4 0 

stats 2 

trans Xroit4 3 
trans pass4 0 
stats 3 

trans moreD4 2 
trans pass_tk4 0 
machine 5 

stats 0 

trans rcv5 1 
trans get_tk5 2 

stats 1 

trans ready5 0 
stats 2 
trans XraitS 3 
trans pass5 0 
stats 3 
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train moreDS 2 
tram pass_tk5 0 
machine 6 

state 0 

trans rcv6 1 
trans get_tk6 2 

state 1 

trans ready6 0 

state 2 

trans Xmit6 3 
trans pass6 0 

state 3 

trans moreD6 2 
trans pass_tk6 0 
machine 7 

state 0 

trans rcv7 1 
trans get_tk7 2 

state 1 

trans ready7 0 

state 2 

trans Xmit7 3 
trans pass7 0 

state 3 

trans moreD7 2 
trans pass_tk7 0 
machine 8 

state 0 

trans rcv8 1 
trans get_tk8 2 

state 1 

trans ready8 0 

state 2 

trans Xmit8 3 
trans pass8 0 

state 3 

trans moreD8 2 
trans pass_tk8 0 
initial_state 00000000 
finish 
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Variable Definitions (No Message in outbuf Variables) 

with TEXT_IO; ua« TEXT_IO; 
package definition* i* 

num_o f _ma chine* : constant : - 8; 

k : constant :■ 7; -- number of row* (message*) in output buffer 
type * cm_t r an • i t i on_t ype i* (passl, pa**2, pa**3 , pas*4, pa**5 , p***6, 

pa**7, pa»*8, get_tkl, get_tk2, 
get_tk3, get_tk4 , get_tk5 , get_tk6, 
get_tk7, get_tk8 , Xmit 1, Xmit 2, Xmit 3, 

Xmi 1 4 , XmitS , Xmit 6 , Xmit 7 , Xmit 8 , moreDl , 

moreD2 , moreD3 , moreD4 , moreDS , 

moreD6 , rooreD7 , moreD8 , pa* *_tk4 , pa**_tk5 , 

pa**_tk6, pa**_tk7 , pa**_tk8 , 

pass_tkl, pass_tk2, pa**_tk3, 

rcvl, rcv4, rcv5, rcv6, rcv7, rcv8, 

rc v2 , rcv3 , readyl , ready 2 , ready 3 , 

ready 4, readyS, ready 6, ready 7, ready 8 , unused) ; 

type dummy _t ype is range 1..255; 
type t_f ield_type i« (D, T, E) ; 

package t_f ield_enum_io is new enumeration_IO (t_field_type) ; 
use t_f ield_enum_io; 

type MEDIUM _TYPE is 
record 

t : t_f ield_type; 

DA : integer range 1..8; 

SA : integer range 1..8; 

data : character; 
end record; 

type input_buf fer_type is 
record 

DA : integer range 0..8 :=0; 

SA : integer range 0..8 :=0; 

data : character :* 'E'; 
end record; 

type output_buf fer_type is array (l..k) of MED IUM_T YPE ; 



type machine l_*t at e_t ype is 
record 

next : integer : = 2; — address of downstream neighbor 
i : integer : = 1; -- stations own address 

ctr : integer range l..(k+l) : *= 1; — counter for messages sent 

j : integer range l..k := 1; — index for output buffer 
inbuf : inputjbuf fer_type; -- stores the received messages 
outbuf : output_buffer_type := ( (E, 2, 1, • I ' ) , (E, 3, 1, ' I ' ) , 

(E, 4,1, 'I'), (E, 5 , 1, 'I'), 

(E, 6, 1, ' 1 1 ) , (E, 7 , 1, 1 1 1 ) , (E, 8, 1, ' I ' ) ) 

end record; 

type machine2_state_type is 
record 

next : integer :* 3; --address of downstream neighbor 

i : integer := 2; -- stations own address 

ctr : integer range l..(k+l):= 1; — counter for messages sent 
j : integer range l..k := 1; — index for output buffer 
inbuf : input_buf fer_type; -- stores the received messages 
outbuf : output_buffer_type := ( (E, 1, 2, ' 1 1 ) , (E, 3, 2, ' I ' ) , 

(E, 4,2, 'I'), (E, 5 , 2, 'I'), 

<E,6,2, 'I'), <E,7 f 2, •!■), <B,8,2, •!•) ) 

end record; 

type machine3_state_type is 
record 

next : integer : = 4; — address of downstream neighbor 

i : integer := 3; -- stations own address 

ctr : integer range l..(k+l) := 1; — counter for messages sent 
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j : integer range l..k : = 1; * — index for output buffer 
inbuf : input_buffer_type; — stores the received messages 
outbuf : out put_bu f f e r_t ype :* ( (E, 1, 3, ' I ' ) , (E, 2, 3, 1 1 ' ) , 

(E, 4, 3, 'I'), (£,5,3, •!•), 

(E, 6, 3, 'I*), (E, 7, 3, ' 1 1 ) , (E, 8,3, 'I') ); 

end record; 

type machine4_state_type is 
record 

next : integer : * 5; — address of downstream neighbor 
i : integer :=* 4; — stations own address 

ctr : integer range l..(k+l) : = 1; — counter for messages sent 

j : integer range 1. .k :* 1; — index for output buffer 
inbuf : input_buf fer_type ; — stores the received messages 

outbuf : outpu t_bu f f e r_t ype :* ( (E, 1, 4, ' I ' ) , (E, 2, 4, ' I ' ) , (E, 3, 4, 'I'), (E, 5, 4, 'I') 

(E, 6, 4, 'I'), (E, 7, 4, ’I*), (E, 8,4, ’I') ); 

end record; 

type machine5_state_type is 
record 

next : integer :« 6; — address of downstream neighbor 
i : integer :=* 5; — stations own address 

ctr : integer range l..(k+l) : = 1; — counter for messages sent 

j : integer range 1. .k := 1; -- index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 

outbuf : ou t put_bu f f e r_t ype := ( (E, 1, 5, 'I'), (E, 2, 5 , 'I'), (E, 3 , 5 , 'I'), (E, 4 , 5 , 'I') 

(E, 6, 5, ’ I ' ) » (E,7,5, 'I')/ (E, 8, 5, 'I') ); 

end record; 

type raachine6_state_type is 
record 

next : integer := 7; — address of downstream neighbor 
i : integer : = 6; — stations own address 

ctr : integer range l..(k+l) : = 1; -- counter for messages sent 

j : integer range l..k :* 1; -- index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 

outbuf : output_buffer_type :* ( (E, 1, 6, 'I'), (E, 2 , 6, 'I'), (E, 3, 6, 'I'), (E, 4 , 6, 'I') 

(E, 5 , 6, 'I'), (E, 7 , 6, 'I'), (E, 8 , 6, 'I 1 ) ); 

end record; 



type machine 7_atate_type is 
record 

next : integer : = 8; — address of downstream neighbor 
i : integer : « 7; — stations own address 

ctr : integer range l..(k+l) 1; — counter for messages sent 

j : integer range 1. .k := 1; — index for output buffer 
inbuf ; input_buf fer_type; — stores the received messages 
outbuf : out pu t _bu f f e r_t ype := ( (E, 1, 7, 'I'), (E, 2, 7, 1 1 1 ) , (E,3,7, ' I ' ) , 

(E, 5,7, 'I'), (E, 6, 7, 'I'), (E, 8 , 7 , ’I') 

end record; 



(E, 4 , 7 , 'I') 
) ; 



type machine8_state^type is 
record 

next : integer 1; — address of downstream neighbor 
i ; integer : = 8; — stations own address 

ctr : integer range l..(k+l) :* 1; -- counter for messages sent 

j : integer range 1. .k := 1; -- index for output buffer 
inbuf ; input_buf fer_type; — stores the received messages 

outbuf : output_buffer_type := ( (E, 1, 8, ' I ' ) , (E, 2, 8, * I ' ) , (E, 3, 8, * I ' ) , (E, 4, 8, ' I ' ) 

(E, 5, 8, 'I'), (E, 6, 8, 'I'), (E, 7, 8, 'I') ); 

end record; 



type global_variable_type is 
record 

MEDIUM : MEDIUMJTYPE : = (T, 1, 2, 'K ' ) ; 
end record; 



end definitions; 
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Variable Definitions!! One Message in outbuf Variables) 

with TBXT_IO; ut* TEXT_IO; 
package definition* ia 

n\un_o f _nia chine* : constant :■ 8; 

k : constant :* 7; -- number of row* (messages) in output buffer 
type *cm_tran*ition_type is (passl, pas*2,pass3, pas*4, pas*5, pas*6, 

pas*7, pas*8, get_tkl, get_tk2, 
get_tk3, get_tk4, get_tk5, get_tk6, 
get_tk7, get_tk8, Xmitl , Xmit2, Xmit 3, 

Xmit 4 , Xmi 1 5 , Xmit 6 , Xmit 7 , Xmit 8 , moreDl , 

moreD2 , moreD3 , moreD4 / moreD5, 

moreD6, mo re D 7 , moreD8, pass_tk4, pass_tk5, 

pas*_tk6, pass_tk7,pass_tk8, 

pass_tkl , pass_tk2 , pass_tk3 , 

rcvl, rcv4, rcv5, rcv6, rcv7, rcv8, 

rcv2 , rcv3 , ready 1 , ready 2 , ready 3 , 

re ady 4, ready 5 , ready 6 , ready 7 , ready 8, unused) ; 

type dummy_type is range 1..255; 
type t_field_type is (D,T,E); 

package t_f ield__enum_io is new enumeration_IO (t_f ield_type) ; 
use t_f ield_enum_io; 

type MEDIUM_TYPE is 
record 

t : t_f ield_type; 

DA : integer range 1..8; 

SA : integer range 1..8; 

data : character; 
end record; 

type input_buf fe retype is 
record 

DA : integer range 0..8 :=0; 

SA : integer range 0..8 :=0; 

data : character : * 'E'; 
end record; 

type output_buf fer_type is array (l..k) of MEDIUM_TYPE; 



type machinel_state_type is 
record 

next : integer : = 2; — address of downstream neighbor 
i : integer := 1; — stations own address 

ctr : integer range l..(k+l) :* 1; — counter for messages sent 

j : integer range l..k : * 1; -- index for output buffer 
inbuf : input_buf fer_type ; — stores the received messages 

outbuf : output_buffer_type := ( (D, 2, 1, ' I ' ) , (E, 3, 1, ' I ' ) , 

(E, 4, 1, ' 1 1 ) / (E, 5, 1, 'I'), 

(E, 6, 1, 'I'), (E,7,l, 'I'), (E, 8, 1, ' I ' ) ) ; 

end record; 

type machine2_state_type is 
record 

next : integer : = 3; --address of downstream neighbor 
i : integer : *= 2; -- stations own address 

ctr : integer range 1.. (k+1) : = 1; — counter for messages sent 
j : integer range l..k := 1; — index for output buffer 
inbuf ; input_buffer_type; -- stores the received messages 
outbuf ; output_buf fer_type := { (D, 1, 2, ■ I ' ) , (E, 3, 2, ' I ' ) , 

(E, 4,2, ’I*), (E, 5 , 2, ’I'), 

(E, 6, 2, 'I'), (E, 7, 2, ' I ' ) , (E, 8, 2, 'I') ); 

end record; 

type machine3_state_type is 
record 

next : integer : = 4; — address of downstream neighbor 
i : integer : = 3; — stations own address 

ctr : integer range l..(k+l) := 1; -- counter for messages sent 



105 



j : integer rang# l..k :* 1; — index for output buffer 
Inbuf : input_buf fer_type , — stores the received mss sagas 

outbuf : output_buffa r_type :« ( (D, 1, 3, 1 1 ' ) , <E, 2, 3, ■ 1 1 ) , 

<E,4,3, 'I'), (2,5,3, 'I'), 

(E, 6, 3, ■!'), (B, 7, 3 , *1*), (E,8,3, 'I' 

snd record; 

type machine 4_state_type is 
record 

next : integer :* 5; — address of downstream neighbor 
i : integer : * 4; — stations own address 

ctr : integer range l..()c+l) :« 1; — counter for messages sent 

j : integer range l..k :* 1; — index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 
outbuf : output_buffer_type :« ( (D, 1, 4, ' I ' ) , (E, 2, 4, ' I' ) , (E, 3, 4, ' I ' 

(E, 6, 4, 'I'), (E, 7, 4, 'I'), (E, 8,4, 'I') 

end record; 

type machine5_state_type is 
record 

next : integer :* 6; — address of downstream neighbor 
i : integer :« 5; — stations own address 

ctr ; integer range 1 . . (k+1) :« 1; — counter for messages sent 

j : integer range l..k := 1; — index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 
outbuf : ou t pu t_bu f f e r_t ype := ((D,l,5, ' I ' ) , (E, 2, 5, ' 1 1 ) , (E,3,5, ' I ' 

(E, 6,5, ' I ' ) , (E, 7,5, *1'), (E, 8, 5, 'I' 

end record; 

type machine 6_st at e_t ype is 
record 

next : integer := 7; — address of downstream neighbor 
i : integer := 6; -- stations own address 

ctr : integer range l..(k+l) := 1; -- counter for messages sent 

j : integer range l..k :* 1; -- index for output buffer 
inbuf : input_buffer_type; — stores the received messages 
outbuf : outpu t_bu f f er_t ype := ( (D, 1, 6, ' I ' ) , (E, 2, 6, ' I • ) , (E, 3, 6, ' 1 1 

(E,5,6, 'I') , (E, 7, 6, 'I') , (E, 8 , €, 'I' 

end record; 

type machine7_state_type is 
record 

next : integer : = 6; --address of downstream neighbor 
i : integer : * 7; — stations own address 

ctr : integer range l..(k+l) := 1; — counter for messages sent 

j ; integer range l..k :* 1; — index for output buffer 
inbuf : input_buffer_type; — stores the received messages 
outbuf : output_buffer_type := ( (D, 1, 7, ■ I ' ) , (E, 2, 7, ' 1 1 ) , (E, 3, 7, ' I ' 

(E, 5,7, •!•), (E, 6, 7 , 'I'), <E,8,7, 'I' 

end record; 

type machine 8_st at e_t ype is 
record 

next : integer := 1; --address of downstream neighbor 
i : integer : = 8; — stations own address 

ctr ; integer range 1. . (k+1) : = 1; -- counter for messages sent 

j : integer range l..k := 1; — index for output buffer 
inbuf : input_buffer_type; — stores the received messages 
outbuf : output_buffer_type := ( (D, 1, 8, ' I ' ) , (E, 2, 8, 1 1 ' ) , (E, 3, 8, ' I 

(E, 5, 8, '1 1 ) , (E, 6, 8, 'I ' ) , (E, 7 , 8 , 'I 

end record; 

type global_variable_type is 
record 

MEDIUM : MED IUM_TYPE := (T, 1, 2, 'E ' ) ; 
end record; 

end definitions; 



>, (E, 5,4, 'I'), 
>; 



>, (E, 4,5, 'I'), 
) ) ; 



), (E, 4 , 6, ' I ' ) / 
) > ; 



), (E, 4 , 7, 'I'), 
) ) ; 



) , (E, 4 , 8, 'I'), 
) > ; 



106 



Variable Definitions 

There are seven messages in outbuf variable of each machine and each machine sends 
one message to the other machines in the network. 



with TBXT_IO; us* TEXT_IO; 
package definitions ia 

num_o f_ma chines : constant :* 8; 

k : constant :* 7; — number of rows (messages) in output buffer 
type s cm_t r an s i t i on_t ype is (passl,pass2,pass3, pass4, pas*5, pass6, 

pass7 , pass8 , get_tkl , get_tk2, 
get_tk3 , get_tk4 , get_tk5 , get_tk6 , 
get_tk7 , get_tk8 , Xmitl , Xmit2 , Xmit 3 , 

Xmit4 , Xmit 5 , Xmit 6 , Xmit 7 , Xmit 8 , moreDl , 

moreD2 , moreD3 , moreD4 , moreDS , 

moreD6, moreD7 , mo re D 8 , pass_tk4 , pass_tk5 , 

pass_tk6, pass_tk7, pass_tk8, 

pass_tkl,pass_tk2, pass_tk3, 

rcvl , rcv4 , rcv5 , rcv6 , rcv7 , rcv8 , 

rcv2 , rcv3 , ready 1 , ready 2 r ready 3 , 

ready 4, ready5, ready 6, ready7, ready 8 , unused) ; 

type dummy_type is range 1..255; 
type t_field_type is (D,T,E); 

package t_f ield_enum_io is new enumeration_IO (t_f ield_type) ; 
use t_field_enum_io; 

type MEDIUMJTYPE is 
record 

t : t_f ield_type ; 

DA : integer range 1..8; 

SA : integer range 1..8; 

data : character; 
end record; 

type input_buf fer_type is 
record 

DA : integer range 0..8 :=0; 

SA : integer range 0 . . 8 : =0 ; 

data : character : = 'E'; 
end record; 

type output_buf fer_type is array (l..k) of MEDIUM_TYPE; 



type machinel_state_type is 
record 

next : integer := 2; — address of downstream neighbor 
i : integer 1; — stations own address 

ctr : integer range l..(k+l) : = 1; — counter for messages sent 

j : integer range l..k := 1; -- index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 
outbuf : out pu t_bu f f e r_t ype := ( (D, 2, 1, 'I'), (D, 3 , 1, 'I'), 

(D, 4,1, 'I'), (D,5,l, 'I') , 

<D,6,1, •!'), (D,7,l, 'I'), <D,8,1, '!') 



end record; 



) ; 



type machine2_state_type is 
record 

next : integer : = 3; — address of downstream neighbor 
i : integer 2 ; — stations own address 

ctr : integer range l..(k+l):= 1; — counter for messages sent 
j : integer range l..k : = 1; — index for output buffer 
inbuf : input_buf fer_type; — stores the received messages 
outbuf : output_buf fer_type := ( (D, 1, 2, 1 1 1 ) , (D, 3, 2, ' X 1 ) , 

(D, 4,2, ' I 1 ) , (D,5,2, 'I'), 

(D,6,2, ' 1 1 ) , (D, 7, 2 , 'I'), (D, 8,2, '!') 



end record; 



>; 



107 



type machine3_state_type is 
record 

next : integer :* 4; — address of downstream neighbor 
i : integer :* 3; — stations own address 

ctr : integer range l..(k+l) :■ 1; -- counter for messages sent 

j : integer range l..k : * 1; — index for output buffer 
inbuf : input_buffer_type; — stores the received messages 
outbuf : output_buffer_type :* ( (D, 1, 3, 'I'), (D, 2, 3, 1 1 ' ) , 

(D, 4,3, (0,5,3, ' I ' ) , 

(D, 6, 3, (0,7,3, 'I'), (D, 8, 3, 'I') ); 

end record; 

type machine 4_state_type is 
record 

next : integer : ■ 5; --address of downstream neighbor 
i : integer : * 4; — stations own address 

ctr : integer range l..(k+l) :* 1; -- counter for messages sent 

j : integer range 1. .k :■ 1; — index for output buffer 
inbuf : input_buf fer_type ; -- stores the received messages 

outbuf : output_buf f er_t ype := ( (D, 1, 4 , 1 1 ' ) , (D, 2, 4, 1 1 ' ) , (D, 3, 4, ' 1 1 ) , (0, 5, 4, ' I • ) 

(D, 6, 4, 'I'), (0,7,4, '!•), <0,8,4, 'I') ); 

end record; 

type machine5_state__type is 
record 

next : integer : = 6; — address of downstream neighbor 
i : integer :* 5; — stations own address 

ctr : integer range l..(k+l) : = 1; — counter for messages sent 

j : integer range l..k :* 1; -- index for output buffer 
inbuf : input_buffer_type; -- stores the received messages 

outbuf : out pu t_bu f f e r_t ype :« ( (D, 1, 5, • I • ) , (D, 2, 5, ' I ' ) , (D, 3, 5, ' I ' ) , (D, 4, 5, ' I ' ) 

(D, 6, 5, 'I'), (0,7,5, 'I'), (0,8,5, 'I') ); 

end record; 

type machine 6_state_t ype is 
record 

next : integer :* 7; --address of downstream neighbor 
i : integer : = 6; -- stations own address 

ctr : integer range 1. . (k+1) :=* 1; — counter for messages sent 
j : integer range l..k := 1; — index for output buffer 
inbuf : input_buffer_type; — stores the received messages 

outbuf : out pu t _bu f f e r_t ype ( (D, 1, 6, • I ' ) , (D, 2, 6, ' I ' ) , (D, 3, 6, • I ' ) , (D, 4, 6, ' I • ) 

(D, 5, 6, 'I'), (D, 7, 6, 'I'), (D,8,6, 'I') ); 

end record; 

type machine 7_state_type is 
record 

next : integer := 8; — address of downstream neighbor 
i : integer : = 7; -- stations own address 

ctr : integer range l..(k+l) := 1; -- counter for messages sent 

j : integer range l..k := 1; — index for output buffer 
inbuf : input_buffer_type; -- stores the received messages 

outbuf : out pu t _bu f f e r_t ype := ( (D, 1, 7, • I ' ) , (D, 2, 7, ' I ' ) , (D, 3, 7, ■ 1 1 ) , (D, 4, 7, ' I • ) 

(D,5,7, ' 1 1 ) , <D,6,7, 'I'), <D,8,7, 'I') ); 

end record; 

type machine 8_state_t ype is 
record 

next : integer := 1; — address of downstream neighbor 
i : integer : = 8; — stations own address 

ctr : integer range 1. . (k+1) : = 1; -- counter for messages sent 

j : integer range l..k := 1; — index for output buffer 
inbuf : input_buf fer_type; -- stores the received messages 

outbuf : out pu t _bu f f e r_t ype := ( (D, 1, 8, ' I ' ) , (D, 2, 8, ' I ' ) , (D, 3, 8, 1 1 ' ) , (D, 4, 8, 1 1 ' ) 

(D,5,8, 'I'), (D,6,8, 'I'), <D,7,8, 'I') ); 

end record; 

type globa levari ablest ype is 
record 

MEDIUM : MEDIUMJTYPE : * (T, 1, 2 , 'N ' ) ; 
end record; 

end definitions; 
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Predicate-Action Table 



aeparate (main) 

procedure Analyze_Predicatea_Machinel (local : machine l_at at e_type; 

global : global_variable__type ; 
a : natural; 

w : in out tranaition_atack_package . a tack) ia 



begin 

caae a ia 

when 0 *> 

if ( (global. MEDIUM. t - D) and (global .MEDIUM. DA * local.!) ) then 
puah (w, rcvl) ; 
end if; 

if ( (global. MEDIUM. t * T) and (global .MEDIUM. DA * local. i) ) then 
puah (w, get_tkl) ; 
end if; 

when 1 *> 

puah (w, readyl) ; 
when 2 ~> 

if (local .outbuf (local . j) .t /= E) then 
puah (w, Xmitl) ; 
end if; 

if ( local .outbuf (local . j) .t = E ) then 
puah (w, paaal) ; 
end if; 
when 3 => 

if ( (global. MEDIUM. t « E) and (local .outbuf (local. j) .t /« E) and 
( local. ctr <* k) ) then 
puah (w, moreDl) ; 
end if; 

if ( (global. MEDIUM. t « E ) and ( ( local. outbuf (local . j) .t * E) 
or (local. ctr * (k+1) ) ) ) then 
puah(w, paaa_tkl) ; 
end if; 

when other a => 
null; 

end caae; 

end Analyze_Predicatea_Machinel; 



aeparate (main) 

procedure Analyze_Predicatea_Machine2 (local : machine2_state_type; 

global : global_variable_type; 
a : natural; 

w : in out tranaition_atack_package .atack) ia 

begin 

caae a ia 

when 0 => 

if ( (global. MEDIUM. t = D) and (global .MEDIUM. DA « local.!) ) then 
puah (w, rcv2) ; 
end if; 

if ( (global. MEDIUM. t = T) and (global .MEDIUM. DA = local. i) ) then 
puah (w, get_tk2) ; 
end if; 

when 1 => 

puah (w, ready 2) ; 
when 2 => 

if ( local. outbuf (local . j) .t /= E) then 
puah (w, Xmit2) ; 
end if; 

if ( local. outbuf (local. j) .t = E ) then 
puah (w, paaa2) ; 
end if; 
when 3 => 

if ( (global. MEDIUM. t « E) and (local .outbuf (local. j) .t /« E) and 
(local. ctr <= k) ) then 
puah (w, moreD2) ; 
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•nd if; 

if ( (global . MEDIUM. t « E ) and ( (local . outbuf (local . j) .t - E) 
or (local. ctr * (k+1) ) ) ) than 
puah(w, paaa_tk2) ; 
and if; 

whan othara *> 
null; 

and cata; 

and Analyza_P radicate a_Machina2; 



iaparata (main) 

procadura Analyze_P redicat ea_Machine3 (local : machine3_atata_type; 

global : global_variable_type; 
a : natural; 

w : in out tranaition_atack_package . a tack) ia 



bag in 

caaa a ia 

whan 0 *=> 

if ( (global. MEDIUM, t - D) and (global .MEDIUM. DA « local, i) ) than 
puah (w, rcv3) ; 
and if; 

if ( (global .MEDIUM, t T) and (global .MEDIUM. DA * local.!) ) than 
puah (w, get_tk3) ; 
and if; 

whan 1 *> 

puah(w, ready 3) ; 
whan 2 *> 

if (local .outbuf (local . j) .t /= E) than 
puah (w, Xmit3 ) ; 
and if; 

if ( local .outbuf (local . j) .t = E ) than 
puah (w, paaa3) ; 
and if; 
whan 3 *> 

if ( (global. MEDIUM. t * E) and (local . outbuf (local . j) .t /* E) and 
(local. ctr <= k) ) than 
puah (w, moraD3) ; 
and if; 

if ( (global. MEDIUM. t * E ) and ( (local . outbuf (local . j) .t * E) 
or (local. ctr *= (k+1) ) ) ) then 

puah(w, paaa_tk3) ; 
and if; 

whan othara => 
null ; 

and caaa; 

and Analyze^P radicate 8^_Machine3; 



aeparate (main) 

procadura Analyze_Predicataa__Machine4 (local : machine 4_atata_typa; 

global : global__variabla^_typa; 
a : natural ; 

w : in out tranaition_atack_package .atack) ia 



begin 

caaa a ia 

whan 0 => 

if ( (global. MEDIUM, t = D) and (global .MEDIUM. DA = local.!) ) then 
puah (w # rcv4) ; 
and i f ; 

if ( (global .MEDIUM, t = T) and (global .MEDIUM. DA = local.!) ) then 
puah (w, get__tk4) ; 
end if; 

whan 1 => 

puah (w, ready 4) ; 
whan 2 => 

if (local .outbuf (local . j) .t J- E) then 
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push (w, Xmit 4) ; 

•nd if; 

if ( local .outbuf (local . j) , t * S ) than 
puah (w,pasa4) ; 

•nd if; 
whan 3 => 

if ( (global. MED IUM.t - E) and (local . outbuf (local . j) . t /« E) and 
( local. ctr <* k) ) than 
puah (w, moraD4) ; 
and if; 

if ( (global. MED IUM.t - E ) and ( (local .outbuf (local . j) .t - B) 
or (local. ctr * (k+1) ) ) ) than 
puah(w, paaa_tk4) ; 

•nd if; 

whan othara *> 
null; 

and caaa; 

and Analyza_Pradicataa_Machine4; 



aaparata (main) 

procadura Analyze_Pradicataa_Machina5 (local : roach ina5_at at a_typa; 

global : global_variabla_typa; 
a : natural; 

w : in out tran8ition__atack_jpackage . atack) ia 



bagin 

caaa a ia 

whan 0 *> 

if ( (global. MEDIUM. t = D) and (global . MEDIUM. DA = local.!) ) than 
puah (w, rcv5) ; 
and if; 

if ( (global. MED IUM.t * T) and (global .MEDIUM. DA * local, i) ) then 
puah (w, gat_tk5) ; 
and if; 

whan 1 => 

puah (w, ready 5 ) ; 
whan 2 => 

if (local . outbuf (local . j) .t /= E) than 
puah (w, Xmit5) ; 
and if; 

if ( local .outbuf (local . j) .t = E ) then 
puah (w, paaa5) ; 
and if; 
whan 3 => 

if ( (global .MEDIUM. t = E) and (local . outbuf (local . j) . t /= E) and 
(local. ctr <= k) ) then 
puah(w,moreD5) ; 
and if; 

if ( (global .MEDIUM. t * E ) and ( (local . outbuf (local . j) . t = E) 
or (local. ctr = (k+1) ) ) ) then 
puah(w, pasa_tk5) ; 
end if; 

when othera => 
null; 

end caae; 

end Analyze_Predicates_Machine5 ; 



aeparate (main) 

procedure Analyze_Predicatea_Machine6 (local : machine 6_at at e_type; 

global : global_variable_type; 
a : natural; 

w : in out trana it ion_a t ack_jpackage . atack) ia 



ill 



begin 

Gift ft ift 

when 0 *> 

if ( (global. MEDIUM. t ■ D) and (global .MEDIUM. DA - local, i) ) then 
push (w, rcv6) ; 
end if; 

if ( (global. MEDIUM. t - T) and (global .MEDIUM. DA - local. i) ) then 
puah (w, get_tk6) ; 
end if; 

when 1 ~> 

push ( w, ready 6) ; 
when 2 *> 

if (local .outbuf (local . j) .t /= £) then 
push (w, Xmit6) ; 
end if; 

if ( local .outbuf (local . j) .t * E ) then 
push (w, paaa6) ; 
end if; 
when 3 *> 

if ( (global .MEDIUM. t - E) and ( local. outbuf (local. j) .t /« E) and 
(local. ctr <■ k) >then 
puah (w,moreD6) ; 
end if; 

if ( (global. MEDIUM. t - E > and ( (local . outbuf (local . j) .t * E) 
or (local. ctr = (k+1) ) > > then 
puah(w, paa«_tk6) ; 
end if; 

when other* => 
null; 

end case; 

end Analyze__P redicat ea_Ma chine 6; 



separate (main) 

procedure Analyze_Predicatea_Machine7 (local : roach ine7_»t at e_type; 

global : global_variable_type ; 
a : natural; 

w : in out transition_atack_package . atack) ia 



begin 

case a is 

when 0 *> 

if ( (global. MEDIUM, t - D) and (global .MEDIUM. DA = local. i) ) then 
push (w, rcv7) ; 
end if; 

if ( (global. MEDIUM. t * T) and (global .MEDIUM. DA = local.!) ) then 
push ( w, get_tk7 ) ; 
end if; 

when 1 => 

push (w, ready7) ; 
when 2 «> 

if ( local. outbuf (local. j) „t /= E) then 
push (w, Xmit7) ; 
end if; 

if ( local . outbuf (local . j) . t * E ) then 
puah (w, pass 7) ; 
end if; 
when 3 => 

if ( (global. MEDIUM, t « E) and (local . outbuf (local . j ) .t /« E) and 
(local. ctr <= k) ) then 
push (w / moreD7) ; 
end if; 

if ( (global. MEDIUM. t = E ) and ( ( local. outbuf (local, j) .t - E) 
or (local. ctr = (k+1) ) ) ) then 
puah(w, pa«a_tk7) ; 
end if; 

when othera => 
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null; 
end cut; 



•nd Analyze_Predicatea_Machine7; 



aeparate (main) 

procedure Analyze_Predicatea_Machine8 (local : machine8_atate_type; 

global : global_variable_type; 
a : natural; 

w : in out tranaition_atack_package . stack) la 



begin 

caaa a ia 

whan 0 «> 

if ( (global. MED IUM.t = D) and (global .MEDIUM. DA = local. i) ) than 
puah (w, rcv8) ; 
and if; 

if ( (global. MED IUM.t * T) and (global .MEDIUM. DA * local.!) ) than 
puah (w, get_tk8) ; 
and if; 

whan 1 *> 

puah (w, ready 8) ; 
whan 2 => 

if (local. outbuf (local. j) .t /* E) than 
puah (w, Xmit8) ; 
and if; 

if ( local. outbuf (local. j) .t = E ) than 
puah (w, paaa8) ; 
and if; 
whan 3 => 

if ( (global .MEDIUM. t = E) and (local . outbuf (local . j) .t /= E) and 
(local. ctr <= k) )then 
push (w, moreD8) ; 
and if; 

if ( (global .MEDIUM. t = E ) and ( (local . outbuf (local . j) . t = E) 
or (local. ctr = (k+1) ) ) ) then 
puah (w, paaa_tk8) ; 
and if; 

whan othara => 
null; 

and caaa; 

and Analyze_Predicatea_Machine8; 



aaparata (main) 

procadura Action ( in_ayatem_state : in out Gatate__racord_type; 

in_tranaition : in out acm_tranaition_type; 
out_ayatem_atate : in out Gatate_record_type) ia 



begin 

caaa in_tranait ion ia 
whan rcvl => 

out_ayatem_atate . machine l_at ate . inbuf .SA 

:=in_iy«tem_*tate . global_variablaa .MEDIUM. SA; 
out_ayatam_atata .machine Instate . inbuf .data 

: =in_ayatem_atate . global_var iablaa .MEDIUM. data; 

whan rcv2 => 

out_ayatam_at at a .machina2_atata . inbuf . SA 

: = in_ayatam_atata . global_var iablaa .MEDIUM. SA; 
outlays tam_a tat a . machina2_atate . inbuf .data 

:=in_ayatem_atate . global_var iablaa .MEDIUM. data; 

whan rcv3 => 

out_ayatam_atate .machina3_atata . inbuf . SA 

:=in_ayatem_atate . global_variablea .MEDIUM. SA; 
outlay atem_at ate .machine3_atate . inbuf .data 
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:*in_ayatera_atate .global_variablea .MEDIUM, data; 

whan rev 4 *> 

out_ayatem_atate . machine 4__at ate . inbuf . SA 

: *in_ayatem_atate .global_variablea .MEDIUM. SA; 
out_ayetem_etate . machine 4_at ate . inbuf . data 

:*Ein_ayatam_atata . global_variabl.es .MEDIUM. data; 

whan revS *> 

out_ayatem_atate .machine5_atate . inbuf . SA 

:Kin_ayatam_atata .global_var iablea .MEDIUM. SA; 
out_ayatam_atate . machine5_atate . inbuf .data 

:*in_ayatem_atate .global_var iablea .MEDIUM, data; 

whan rev 6 *> 

out_ayatem_atate .mi china 6_state . inbuf . SA 

:*in_ayatam_atate .global_var iablea .MEDIUM. SA; 
out_ayatem_atate . ma china 6_*t ata . inbuf . data 

:*in_ayatem_atate .global_var iablea .MEDIUM. data; 

whan rcv7 *> 

out_ayatem_atate .ma china 7_at ata . inbuf .SA 

:*in_ayatam_atate .global_var iablea .MEDIUM. SA; 
out_ayatem_atate .machine 7_st ate . inbuf .data 

: *in_ay a tam_at ata .global_variables .MEDIUM, data; 

whan rcv8*> 

out_ayatem_atate .machine8_atate . inbuf . SA 

: =in_ayatem_at ata . global_var iablea . MEDIUM . SA; 
out_ayatem_atate .machine8_atate . inbuf .data 

:«in_ayatem_atate .globa levari abla a . MEDIUM. data; 



whan raadyl j ready 2 | ready 3 | ready 4 | ready 5 | ready 6 | ready 7 | raady8 
out_ayatem_atate . global_variablee .MEDIUM. t E ; 

whan get_tkl => 

out_ayatem_atate . global_variablea .MEDIUM. t :*E; 
out_system_state .machinel_state .ctr := 1; 
whan get_tk2 => 

out syatem_atate .global_variables . MEDIUM. t := E ; 
out_system_state . machine 2_at ate .ctr := 1; 
whan get_tk3 *> 

out_ayatem_atate . globa Invariable a . MEDIUM . t := E ; 
out_aystem_atate . machine3_atate . ctr : = 1; 
whan get_tk4 => 

out_ayatem_atate .global_variablea .MEDIUM, t :=E; 
out_ayatam_atata . machine 4_at ate . ctr : = 1; 
whan get_tk5 => 

out_ayatem_atate . global_var iablea .MEDIUM. t : = E ; 
out_ayatem_atate . ma china 5_at ata . ctr :* 1; 
whan gat_tk6 *> 

out_ayatem_atate . globa Invariable a . MEDIUM. t : = E ; 
out_system_state .machine 6_st ate . ctr := 1; 
whan get_tk7 => 

out_ay atem_at at e . global_var iablea .MEDIUM . t : = E ; 
out_aysteni_atate .machine 7_atate . ctr := 1; 
whan get_tk8 => 

out_ _ayat em_atate . global_variable a .MEDIUM. t : = E ; 
out_ayatem_atate . machine8_atata . ctr : = 1; 

whan passl j pasa_tkl «> 

out_ayatem_etate . global_variablaa .MEDIUM . t : = T; 
out_ayatem_state . global_var iablea .MEDIUM. DA 

:= in_ayatem_etate .machinel_atate .next; 
out_ayatem_atate . global_variablea .MEDIUM . data := 'E'; 
out_ayatem_atate . global_var iablea . MEDIUM . SA 

: = in_ayatem_atate . machine l_at ate . i; 
whan pasa2 | paaa_tk2 => 

out_ayatem_atate . global_variablaa . MEDIUM. t :* T; 
out_ayatem_atate .global_var iablea .MEDIUM. DA 

: = in_ayatem_atate . machina2_atate . next ; 
out_ay a tam_at ate . global_var iablea .MEDIUM. data := 'E'; 
out_ayetem_atate .global_var iablea .MEDIUM. SA 

: = in_ayatem_atate . ma chine 2_at ate . i ; 
whan paaa3 | paaa_tk3 => 

out_ayatem_8tate . global_variablee .MEDIUM. t := T; 
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out_*y*t«m_*tat« . glob*l_vari . MEDIUM. DA 

: * in_ayatem_atate .machine3_atate . next ; 
out_ayatemn*tate .global_var iablea .MEDIUM. data :* 'E'; 
ou t_ay a t«m_at ate . global_var lab lea .MEDIUM. SA 

:■ in_ayatem_atate .macbine3_atate . i; 
when paaa4 | paaa_tk4 *> 

out_ayetem_etate . globa Invariable a . MEDIUM . t :* T; 
outlay atem_atate . global^var iablea . MEDIUM . DA 

:* in_ayatem_atate . ma chine 4_*t ate .next ; 
outlay etem_etate .global_var iablea. MEDIUM. data :* 'B'; 
out_ay atem_atate . global_var iablea . MEDIUM . SA 

: * in_eyetem_atate . machine4_atate . i ; 
when paaa5 | paaa_tk:5 ■> 

outlay atem_atate.global_var iablea .MEDIUM. t :« T; 
out_ayatem_atate .global_var iablea. MEDIUM. DA 

: = in_ayatem_atate . machine5_atate . next ; 
outlay at em_a t ate. globa Invariable a. MEDIUM, data :* 'E'; 
out_ayatem_atate .global_var iablea . MEDIUM. SA 

: * in_ayatem_atate . machine5_atate . i; 
when paaa6 | paae_tk.6 ■> 

out_ayatem_atate . global_variablea . MEDIUM. t :• T; 
out_iy atein_atate . global_var iablea . MEDIUM . DA 

: * in_ayatem_atate . machine 6_at ate . next ; 
out_ayatem_atate . global_variablea . MEDIUM. data : = 'E'; 
out_iyatem_atate.global_variablea .MEDIUM. SA 

:* in_ayatem_atate .machine 6_§t ate. i; 
when paaa7 | paaa_t)c7 *> 

out_ay at em_at ate .global_var iablea . MEDIUM . t := T; 
out_ayatem_atate .global_variab lea .MEDIUM. DA 

:* in_ayatem_atate . machine7_atate .next ; 
outlay atem^Atate .globalnVariablea .MEDIUM. data := 'E'; 
out_ayatem_atate .global_variablea .MEDIUM. SA 

:* in_ayitem_atate .machine 7_at ate . i; 
when paaa8 | paaa_tk8 *> 

outlay atem_at ate .globa Invariable a .MEDIUM. t :* T; 
out_ayatem_atate .global_variablea . MEDIUM . DA 

:= in_ay atem_at ate . machine 8_atate . next ; 
outlay a tera_atate .global_var iablea .MEDIUM. data : = 'E'; 
out_ayatem_atate .global_var iablea .MEDIUM. SA 

:= in_ayatem_atate .machine 8_at ate . i; 



when Xmitl => 

out_ay a tem_atate .global__var iablea .MEDIUM 
:* inn*y*tera_atate .machine l_at ate . outbuf (in_ayatem_atate machine l_atate . j) ; 
out_ayatem_atate .machinel_atate . outbuf ( in_ayatem_atate . machinel_atate . j) .t : * E; 
outn»yatemn*tate .machine l_atate .ctr 

:= (in_ayatem_atate . machinel_atate . ctr mod 8) +1; 
outn»yatem_atate .machinel_atate . j 

:= ( in_ayatem_at ate . machine l_at ate . j mod 7) + 1; 

when Xmit2 *=> 

outn»y»tem_atate .global_var iablea .MEDIUM 
:* in_ayatem_atate .machine2_atate . outbuf (inn*y*tem_atate .machine2n*tate . j) ; 
out_ayatera_8tate .machine2n»t ate .outbuf (in_ayatemnatate . machine 2_»t ate . j) .t :* E; 
out_ayatem_atate .machine2_atate . ctr 

:= (inn»y*tem_state . machine2_atate . ctr mod 8) +1; 
out_ayatem_atate .machine2_state . j 

:=■ (in_ayatem_atate .machine2_state . j mod 7) +1; 

when Xmit3 => 

out_ayatem_atate . global_variablea . MEDIUM 
: * in_ayatem_atate .machine3_atate . outbuf ( in_ayatein_at ate .machine 3_atate . j) ; 
out_ayatem_atate .machine3_atate . outbuf (in_ayatem_atate .machine3_itate . j) .t :* E; 
out_ayatem_atate .machine3_atate . ctr 

:= (in_ayatem_atate .machine3_atate . ctr mod 8) +1; 
out_ay*tara_8tate .machine3_atate . j 

:= (in_ayatera_state .machine3_atate . j mod 7) + 1; 

when Xmit4 => 

out_ayatem_atate . global_variablea .MEDIUM 
:* in_ayatem_atate .machine4_atate . outbuf (in_ayatem_atate . machine 4_at ate . j) ; 
out_ayatem_atate . machine 4_at ate . outbuf (in_ayatem_atate . machine 4__*t ate . j) .t : = E; 
out_8y8tem_atate . machine 4_at ate . ctr 

:= (in_ayatem_8tate .machine4n*tate. ctr mod 8) +1; 
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out_system_state machine4_state . j 

:» ( in_ayatem_atate . machine 4_st ate . j mod 7) +1; 

when Xmlt5 *> 

out_system_state .global_variables .MEDIUM 

: * in_ayatem_atate . machine 5_at ate . outbuf ( in_*y*tem_at*te . machine 5_at ate . j) ; 
out_system_atate . mach ine5_at ate .outbuf ( in_ayatem_at*te . machine 5_at ate . j) . t :* E; 
out_ayatem_atate . machine5_atate . ctr 

:* (in_system_state . machine5_atate . ctr mod 8) + 1; 
out_ay*tem_atate . machine5_atate . j 

:* (in_system_state . machine 5_at ate . j mod 7) + 1; 

when Xmit 6 ■> 

ou t_sys t em_s t ate .globe l_vari able a .MEDIUM 

: * in_ayatem_at*te .machine 6_at ate . outbuf ( in_ayatem_at ate . machine 6_at ate . j) ; 
out_ayatem_atate .machine 6_at ate .outbuf <in_ayatem_at ate .mach ine6_at ate . j) . t :* X; 
out_ayatem_atate . machine 6_at ate . ctr 

: « ( in_ayatem_at ate .machine 6_at ate . ctr mod 8) + 1; 
out_ayatem_at*te .machine 6_state . j 

:« (in_system_state . machine6_atate . j mod 7) + 1; 

when Xmit 7 -> 

out_ayatem_atate . globa l_vari able a .MEDIUM 
: “ in_ayatem_atate . mach ine7_st ate . outbuf < in_system_state . machine7_atate . j ) ; 
out_ayatem_atate . mach ine7_at ate .outbuf < in_ayatem_atate . machine 7_at ate. j) . t :*E; 
out_ayatem_atate . machine7_atate . ctr 

:= (in_ayatem_atate . machine 7_at ate . ctr mod 8) +1; 
out_system_state .machine 7_st ate . j 

:= ( in_ay a t em_*t at e . machine 7_at ate . j mod 7) +1; 

when Xmit 8 *> 

out_system_state . global_variablea . MEDIUM 
:* in_ay atem_a tat* .machin*8_at at* . outbuf { in_ay a tem_at ate .machine 8_at ate . j) ; 
out_aya tem_at ate . machine8_at ate . outbuf ( in_ayatem_at ate . machine8_at ate . j) .t := E; 
out_system_state . machine8_atate . ctr 

:= ( in_aya t em_a t ate .machine 8_at ate . ctr mod 8) + 1; 

out_system_state . machine8_atate . j 

: = (in_ayatem_atate . machine8_atate . j mod 7) +1; 
when moreDl | moreD2 | moreD3 |moreD4 |moreD5 |moreD6 |moreD7 |moreD8 => 
null; 

when others => 

put ("Error in action procedure"); 

end case; 

end Action; 
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Output Format 



separata (main) 

procedure output_Gtuple (tup la : in out Gstate_record_type) ia 
begin 

if print_header then 
new_line (2) ; 
aet_col (7) ; 

put_line ( "ml , m2 , m3 , m4 , m5 , m6 , m7 , m8 , MEDIUM . t , MEDIUM . DA, MEDIUM . SA, MEDIUM . dat a " ) 
print_header :*= false; 

else 

put(" ("4 integer ' image (tuple .machine_st ate (1) ) ); 
put ( ” , ") ; 

put ( integer 1 image (tuple .machine_state (2) ) ) ; 
put ( ” , "); 

put ( integer 1 image (tuple .machine_state (3) ) ) ; 
put ( M , ") ; 

put ( integer ' image (tuple . machine_state ( 4 ) ) ) ; 
put ( " , " ) ; 

put ( integer ' image (tuple . machine_s tate (5) ) ) ; 
put ( " , " ) ; 

put ( integer ' image (tuple .machine_atate (6) ) ); 
put ( M , "); 

put ( integer 1 image (tuple .machine_atate (7) ) ) ; 
put(" , ") ; 

put ( integer * image (tuple .machine_at ate (8) ) ); 
put ( " , ") ; 

t_f ield_enum_io .put (tuple .global_variables . MEDIUM. t, set => upper_case) ; 
put p , ") ; 

put (tuple . global_variables .MEDIUM. DA, width => 1) ; 
put(» , ”); 

put (tuple .global_vari able s .MEDIUM. S A, width => 1); 
put ( " , ") ; 

put (tuple .global_vari able s .MEDIUM. data) ; 
putp ) ” ) ; 
end if; 

end output_Gtuple ; 
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Program Output (No Message in outbuf Variable) 

REACHABILITY ANALYSIS of :tb8.«cm 
SPECIFICATION 



| Machine 


i 1 State 


Transition# | 


| From | 


To 


i 


Transition | 


1 o 


1 


1 


rcvl | 


1 o 


2 


1 


get^tkl | 


1 1 


0 


1 


readyl j 


1 2 


3 


1 


xxrxitl j 


1 2 


0 


1 


passl j 


1 3 


2 


1 


mo rad 1 | 


1 3 


0 


1 


pass_tkl j 



| Machine 


\ 2 Stata 


Transitions | 


| From | 


To 


1 


Transition | 


1 o 


1 


1 


rcv2 | 


1 o 


2 


1 


get_tk2 | 


1 1 


0 


1 


raady2 | 


1 2 


3 


1 


xxnit2 | 


1 2 


0 


1 


pass2 | 


1 3 


2 


1 


morad2 | 


1 3 


0 


1 


pass tk2 | 



| Machine 


\ 3 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 0 | 


1 


1 


rcv3 | 


1 0 | 


2 


1 


get_tk3 | 


1 1 1 


0 


1 


ready3 | 


1 2 | 


3 


1 


xmit3 | 


1 2 | 


0 


1 


pa##3 | 


1 3 | 


2 


1 


morad3 | 


1 3 | 


0 


1 


pa#s_tk3 | 



| Machina 


4 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 0 | 


1 


1 


rcv4 | 


1 0 | 


2 


1 


get_tk4 j 


1 1 1 


0 


1 


ready 4 | 


1 2 | 


3 


1 


xxnit4 | 


1 2 | 


0 


1 


pass4 | 


1 3 | 


2 


1 


mo red 4 | 


1 3 | 


0 


1 


pass_tk4 j 




| Machina 


5 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 0 | 


1 


1 


rcv5 | 


1 0 | 


2 


1 


get_tk5 | 


1 1 1 


0 


1 


ready 5 | 


1 2 | 


3 


1 


xmit 5 | 


1 2 | 


0 


1 


pass5 j 


1 3 | 


2 


1 


mored5 | 


1 3 | 


0 


1 


pass_tk5 | 
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0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 



| Machine 


> 6 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 o 


1 


1 


rcv6 | 


1 o 


2 


1 


get_tk6 | 


1 1 


0 


1 


ready 6 | 


1 2 


3 


1 


xmit 6 | 


1 2 


0 


1 


pass6 | 


1 3 


2 


1 


mored6 | 


1 3 


0 


1 


pass_tk6 | 



| Machine 7 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 o 


1 


1 


rcv7 | 


1 o 


2 


1 


get_tk7 | 


1 1 


0 


1 


ready7 | 


1 2 


3 


1 


xmit 7 | 


1 2 


0 


1 


pass7 | 


1 3 


2 


1 


mored7 | 


1 3 


0 


1 


pass tk7 | 



| Machine 


8 State 


Transitions | 


| From 


1 


To 


1 


Transition | 


1 o 


1 


1 


1 


rcv8 | 


1 o 


1 


2 


1 


get_tk8 | 


1 1 


1 


0 


1 


ready8 | 


1 2 


1 


3 


1 


xmit 8 | 


1 2 


1 


0 


1 


pass8 | 


1 3 


1 


2 


1 


mored8 | 


1 3 


1 


0 


1 


pass_tk8 | 



SYSTEM REACHABILITY GRAPH 



, o, 


0, 


o. 


o. 


0, 


0, 


0 


] 


0 


get_tkl 


1 


, o, 


0, 


0, 


0, 


o, 


o, 


0 


] 


0 


passl 


2 


, 0, 


0, 


0, 


0, 


o, 


0, 


0 


] 


1 


get_tk2 


3 


, 2 , 


0, 


0, 


0, 0, 


0, 


0 


] 


0 


pass2 


4 


, o. 


0, 


0, 


o, 


0, 


0, 


0 


] 


2 


get_tk3 


5 


, 0, 


2, 


o, 


o, 


0, 


0, 


0 


] 


0 


pass3 


6 


0, 


o. 


0, 


0, 0, 


0, 


0 


] 


3 


get_tk4 


7 


0, 


0, 


2 , 


0, 0, 


o, 


0 


] 


0 


pass4 


8 


0, 


0, 


0, 


0, 0, 


0, 


0 


] 


4 


get_tk5 


9 


0, 


0, 


0, 


2 , 


0, 


0, 


0 


3 


0 


pass5 


10 


>, 0 , 


0, 


o, 


o, 


0, 


0 , 


0 


] 


5 


get_tk6 


11 


1, 0, 


0, 


0, 


o, 2 , 


0, 


0 


] 


0 


pass6 


12 


>, 0, 


o, 


0, 


0, 0, 


o, 


0 


] 


6 


get_tk7 


13 


1, 0, 


0, 


0, 


0, 


0, 


2, 


0 


] 


0 


pass7 


14 
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14 [ 0, 0, 0, 0, 0, 0, 0, 0 ] 7 get_tk8 

15 [ 0, 0, 0, 0, 0, 0, 0, 2 ] 0 pa*. 8 



15 



0 



SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Number of state* generated :16 
Number of states analyzed :16 
Number of deadlocks : 0 



UNEXECUTED TRANSITIONS 



| Macbine 1 


Unexecuted Transitions 


| From 


| To 


| Unexecuted Transition 


1 o 


| 1 


| rcvl 


| 1 


1 o 


| readyl 


1 2 


1 3 


| xmitl 


1 3 


1 2 


| moredl 


1 3 


1 o 


j pass_tkl 



| Machine 


2 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv2 


1 1 


1 


0 


| ready 2 


1 2 


1 


3 


| xmit2 


1 3 


1 


2 


| mored2 


1 3 


1 


0 


1 pas*_tk2 



| Machine 3 


Unexecuted Transitions 


| From 


| To 


| Unexecuted Transition 


1 o 


| 1 


| rcv3 


1 1 


1 o 


| ready 3 


1 2 


1 3 


| xmit3 


1 3 


1 2 


| mored3 


1 3 


1 o 


| pass_tk3 



| Machine 


4 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv4 


1 1 


1 


0 


| ready4 


1 2 


1 


3 


j xmit 4 


1 3 


1 


2 


| mo red 4 


1 3 


1 


0 


| pass_tk4 



| Machine 


5 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv5 


1 1 


1 


0 


| ready5 


1 2 


1 


3 


| xmit5 


1 3 


1 


2 


| mored5 


1 3 


1 


0 


| pass__tk5 
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I Machine 6 Unexecuted Trane it iona | 

| From | To | Unexecuted Transition | 



1 0 


1 


1 


1 


rev 6 


1 1 


1 


0 


1 


ready6 


1 2 


1 


3 


1 


xmit 6 


1 3 


1 


2 


1 


mo red 6 


1 3 


1 


0 


1 


paea_t)t6 



| Machine 7 


Unexecuted Transitions 


| From 


| To 


| Unexecuted Transition 


1 o 


| 1 


| rcv7 


1 1 


1 o 


| ready7 


1 2 


1 3 


| xmit 7 


1 3 


1 2 


| mored7 


1 3 


1 o 


1 pasa_tk7 



| Machine 


8 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv8 


1 1 


1 


0 


| ready 8 


1 2 


1 


3 


| xmit 8 


1 3 


1 


2 


j mored8 


1 3 


1 


0 


| pass__tk8 
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0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 



Program Output ( One Message in outbuf Variable) 



0, 
2 , 
3, 
3, 
3, 
0 , 
0 , 
0, 

1 , 
0 , 
0 , 
0 , 
0 , 
1 , 
0 , 
0 , 
0 , 
0 , 
1 , 
0 , 
0 , 
0 , 
0 , 
1 , 
0 , 
0, 
0 , 
0 , 
1 , 
0 , 
0 , 
0 , 
0 , 
1 , 



SYSTEM REACHABILITY GRAPH 



0, 


0, 


0, 


0, 


o. 


o. 


0 


] 


0 


get_tkl 


0, 


o, 


o # 


0, 


0, 


0, 


0 


] 


0 


xmitl 


0, 


0, 


0, 


0, 


o. 


0, 


0 


] 


0 


rcv2 


1, 


0, 


0 , 


0, 


0, 


0, 


0 


] 


0 


ready2 


0, 


0, 


0, 


0, 


0, 


0, 


0 


] 


1 


paaa_tkl 


0, 


0, 


0, 


0, 


0, 


0, 


0 


] 


1 


get_tk2 


2 , 


0, 


0, 


0, 


0, 


0, 


0 


] 


0 


xmit2 


3, 


0, 


0, 


0, 


0, 


0, 


0 


] 


0 


rcvl 


3, 


o. 


0, 


0, 


o. 


0, 


0 


] 


0 


readyl 


3, 


0, 


0, 


0, 


0, 


0, 


0 


] 


1 


paaa_tk2 


0, 


o. 


0, 


0, 


0, 


0, 


0 


] 


2 


get_tk3 


0, 


2, 


0, 


0, 


o. 


0, 


0 


] 


0 


xmit3 


0, 


3, 


0, 


0, 


0, 


0, 


0 


] 


0 


rcvl 


0, 


3 , 


0, 


0, 


0, 


o. 


0 


] 


0 


readyl 


0, 


3 , 


0, 


0, 


0, 


o. 


0 


] 


1 


paas_tk3 


o, 


0, 


0, 


0, 


0, 


0, 


0 


] 


3 


get_tk4 


0, 


0, 


2 , 


o. 


0, 


0, 


0 


] 


0 


xm±t4 


o. 


0, 


3, 


0, 


0, 


0, 


0 


] 


0 


rcvl 


0, 


0, 


3/ 


0, 


0, 


o. 


0 


] 


0 


raadyl 


0, 


0, 


3, 


0, 


0 # 


o. 


0 


] 


1 


paas_tk4 


0, 


0, 


0, 


o. 


0, 


0, 


0 


] 


4 


get_tk5 


o, 


0 # 


0, 


2 , 


0, 


0, 


0 


] 


0 


xmit5 


0, 


0, 


0, 


3, 


0, 


0, 


0 


] 


0 


rcvl 


0, 


0, 


0, 


3, 


0, 


o. 


0 


] 


0 


readyl 


0, 


0, 


0, 


3 , 


0, 


0, 


0 


] 


1 


pasa_tk5 


0, 


0, 


0, 


0, 


0, 


o. 


0 


] 


5 


get_tk6 


0, 


o, 


0, 


o. 


2 , 


o. 


0 


] 


0 


xxnit 6 


0, 


0, 


0, 


0, 


3, 


0, 


0 


] 


0 


rcvl 


0, 


0, 


0, 


0, 


3, 


0, 


0 


] 


0 


readyl 


0, 


0, 


0, 


0, 


3 , 


0, 


0 


] 


1 


pass_tk6 


0, 


o, 


0, 


0, 


0, 


0, 


0 


] 


6 


get_tk7 


0, 


0, 


0, 


0, 


0, 


2 , 


0 


] 


0 


xmit7 


0, 


0, 


0, 


0, 


o. 


3 , 


0 


] 


0 


rcvl 


0, 


0 , 


0, 


0, 


0, 


3, 


0 


] 


0 


readyl 



1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

34 
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35 



34 


[ 


0, 0, 


o, 


0, 


o. 


0, 


3, 


0 


] 


1 


pass_tk7 


35 


[ 


0, 0, 


0, 


0, 


0, 


0, 


0, 


0 


] 


7 


get_tk8 


36 


[ 


0, 0, 


0, 


0 , 


0, 


o, 


0, 


2 


] 


0 


xmlt 8 


37 


[ 


o 

o 


0, 


0, 


0, 


o, 


0, 


3 


] 


0 


rcvl 


38 


[ 


1, 0, 


0, 


0, 


o, 


o, 


o. 


3 


] 


0 


readyl 


39 


[ 


o, 0, 


0, 


0 , 


0, 


0, 


0, 


3 


] 


1 


pass__tk8 



SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 



Number of states generated : 40 
Number of states analyzed :40 
Number of deadlocks : 0 



UNEXECUTED TRANSITIONS 



| Machine 


1 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 2 | 


0 


1 passl 


1 3 1 


2 


| moredl 




| Machine 


2 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 2 | 


0 


| pass2 


1 3 | 


2 


| mored2 



| Machine 3 Unexecuted Transitions | 



| From | 


| To 


| Unexecuted Transition 


1 0 | 


1 1 


| rcv3 


1 1 1 


1 o 


| ready 3 


1 2 | 


1 0 


| pass3 


1 3 | 


1 2 


| mored3 



| Machine 4 Unexecuted Transitions | 



| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rcv4 


1 1 1 


0 


| ready4 


1 2 | 


0 


| pass4 


1 3 | 


2 


| mo red 4 




| Machine 


5 1 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rcv5 


1 1 1 


0 


| ready 5 


1 2 | 


0 


| paseS 


1 3 | 


2 


| mored5 
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| Machine 


6 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rev 6 


1 1 1 


0 


| ready 6 


1 2 | 


0 


| pass6 


1 3 | 


2 


| mo red 6 



| Machine 


7 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rcv7 


1 1 1 


0 


| ready 7 


1 2 | 


0 


| pass7 


1 3 | 


2 


| mo red 7 




| Machine 


8 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rcv8 


1 1 1 


0 


j ready 8 


1 2 | 


0 


| pass8 


1 3 | 


2 


| mo red 8 
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Program Output ( More Than One Message in outbuf Variable) 



SYSTEM REACHABILITY GRAPH 

1 
2 

3 

4 

1 

SUMMARY OF REACHABILITY ANALYSIS (ANALYSIS COMPLETED) 

Number of states generated :5 
Number of states analyzed :5 
Number of deadlocks : 0 



0 ( 0, 0, 0, 0, 0, 0, 0, 0 ] 0 get_tkl 

1 ( 2, 0, 0, 0 , 0, 0, 0, 0 ] 0 xmltl 

2 [ 3 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ] 0 rcv2 

3 [ 3 , 1 , 0, 0, 0, 0, 0, 0 ] 0 ready2 

4 [ 3, 0, 0, 0, 0, 0, 0, 0 ] 1 moredl 



UNEXECUTED TRANSITIONS 



| Machine 


1 


Unexecuted Transitions 


| From | 


To 


| Unexecuted Transition 


1 0 | 


1 


| rcvl 


1 1 1 


0 


| readyl 


1 2 | 


0 


1 passl 


1 3 | 


0 


| pass tkl 



| Machine 2 


Unexecuted Transitions 


| From 


| To 


| Unexecuted Transition 


1 o 


1 2 


| get_tk2 


1 2 


1 3 


| xmit2 


1 2 


1 0 


1 pass2 


1 3 


1 2 


| mored2 


1 3 


1 o 


| pass_tk2 



| Machine 


3 


Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv3 


1 o 


1 


2 


| get_tk3 


1 1 


1 


0 


| ready 3 


1 2 


1 


3 


| xmit3 


1 2 


1 


0 


1 pass3 


1 3 


1 


2 


| mored3 


1 3 


1 


0 


| pass_tk3 
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I Machine 


4 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv4 


1 o 


1 


2 


j get_tk4 


1 1 


1 


0 


I ready 4 


1 2 


1 


3 


| xmit4 


1 2 


1 


0 


1 pass4 


1 3 


1 


2 


| mored4 


1 3 


1 


0 


| pass_tk4 



| Machine 5 Unexecuted Transitions | 



| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv5 


1 o 


1 


2 


| get_tk5 


1 1 


1 


0 


| readyS 


1 2 


1 


3 


| xmitS 


1 2 


1 


0 


| pass5 


1 3 


1 


2 


| mored5 


1 3 


1 


0 


| pass__tk5 



| Machine 


6 


Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv6 


1 o 


1 


2 


| get tk6 


1 1 


1 


0 


| ready 6 


1 2 


1 


3 


| xmit 6 


1 2 


1 


0 


| pass6 


1 3 


1 


2 


| mo red 6 


1 3 


1 


0 


| pass_tk6 



| Machine 


7 


Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv7 


1 o 


1 


2 


l get_tk7 


1 1 


1 


0 


| ready 7 


1 2 


1 


3 


| xmit 7 


1 2 


1 


0 


1 pass7 


1 3 


1 


2 


| mored7 


1 3 


1 


0 


| pass_tk7 



| Machine 


8 Unexecuted Transitions 


| From 


1 


To 


| Unexecuted Transition 


1 o 


1 


1 


| rcv8 


1 o 


1 


2 


| get_tk8 


1 1 


1 


0 


| ready8 


1 2 


1 


3 


| xmit 8 


1 2 


1 


0 


| pass8 


1 3 


1 


2 


| mo red 8 


1 3 


1 


0 


| pass_tk8 
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Program Output (Global Reachability Analysis) 



There are seven messages in outbuf variable of each machine. 



REACHABILITY ANALYSIS of :tb8.Bcm 
SPECIFICATION 



| Machine 1 State 


Transitions | 


| From 


| To 


1 


Transition | 


I o 


| 1 


1 


rcvl j 


1 o 


1 2 


1 


get_tkl I 


1 1 


1 o 


1 


readyl | 


1 2 


1 3 


1 


xmitl | 


1 2 


1 o 


1 


passl | 


1 3 


1 2 


1 


moredl | 


1 3 


1 o 


1 


pass_tkl j 



| Machine 2 State Transition* | 



| From 


1 


To 


1 


Transition | 


1 o 


1 


1 


1 


rcv2 | 


1 o 


1 


2 


1 


get_tk2 | 


1 1 


1 


0 


1 


ready 2 j 


1 2 


1 


3 


1 


xznit2 j 


1 2 


1 


0 


1 


pass2 | 


1 3 


1 


2 


1 


mored2 | 


1 3 


1 


0 


1 


pass_tk2 | 



| Machine 3 State Transitions | 



| From 


1 


To 


1 


Transition | 


1 o 


1 


1 


1 


rcv3 | 


1 o 


1 


2 


1 


get_tk3 | 


1 1 


1 


0 


1 


ready 3 | 


1 2 


1 


3 


1 


xxnit3 j 


1 2 


1 


0 


1 


pass3 | 


1 3 


1 


2 


1 


mored3 | 


1 3 


1 


0 


1 


pass_tk3 j 



| Machine 4 State Transitions | 



| From 


1 


To 


1 


Transition | 


1 o 


1 


1 


1 


rcv4 | 


1 o 


1 


2 


1 


get_tk4 | 


1 1 


1 


0 


1 


ready4 | 


1 2 


1 


3 


1 


xmit 4 | 


1 2 


1 


0 


1 


pass4 | 


1 3 


1 


2 


1 


mored4 | 


1 3 


1 


0 


1 


pass_tk4 j 



| Machine 5 State Transitions | 



| From 


1 


To 


1 


Transition | 


1 o 


1 


1 


1 


rcv5 | 


1 o 


I 


2 


1 


get tk5 | 


1 1 


1 


0 


1 


ready 5 | 


1 2 


1 


3 


1 


xmit 5 j 


1 2 


1 


0 


1 


pass5 | 


1 3 


1 


2 


1 


mored5 | 


1 3 


1 


0 


1 


pass_tk5 j 
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| Ma china 


6 State 


Transitions | 


| From | 


To 


i 


Transition | 


1 0 | 


1 


1 


rcv6 | 


1 0 | 


2 


1 


gat tk6 | 


1 1 1 


0 


1 


rea3y6 j 


1 2 | 


3 


1 


xmit 6 j 


1 2 | 


0 


1 


pass6 j 


1 3 | 


2 


1 


mored6 | 


1 3 1 


0 


1 


pass_tk6 | 




| Machine 


7 State 


Transitions | 


| From | 


To 


1 


Transition | 


1 0 | 


1 


1 


rcv7 | 


1 0 | 


2 


1 


get_tk7 | 


1 1 1 


0 


1 


ready 7 j 


1 2 | 


3 


1 


xmit 7 | 


1 2 | 


0 


1 


pass7 j 


1 3 | 


2 


1 


mo red? | 


1 3 | 


0 


1 


pass_tk7 | 



| Machine 8 State 


Transitions | 


| From | 


To 


i 


Transition | 


1 o 


1 


1 


rcv8 | 


1 o 


2 


1 


get_tk8 | 


1 1 


0 


1 


ready 8 j 


1 2 


3 


1 


xmit8 | 


1 2 


0 


1 


pass8 | 


1 3 


2 


1 


mored8 | 


1 3 


0 


1 


pass_tk8 | 



REACHABILITY GRAPH 

[ml , m2 , m3 , m4 , m5 , m6 , m7 , m8 , MEDIUM . t , MEDIUM . DA, MEDIUM . SA, MEDIUM . data] 
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xmitl 
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[ 
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0 , 


, D , 
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I 


] 


rcv2 
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3 


[ 
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0 # 
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o , 


0 , 


0 , 
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D , 


2 , 


1 , 


I 


] 


ready2 
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[ 
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5 
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6 
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0 , 


o , 


0 , 
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] 


rcv3 


7 


7 


[ 
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0 , 
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D , 
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I 


] 


ready 3 
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] 
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11 


( 
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0 , 
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0 ( 
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] 


ready4 
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ready5 
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c 
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] 


moredl 
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[ 
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xmitl 


18 


18 


[ 


3 , 


0 , 
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0 ( 
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I 


] 


rcv6 
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[ 


3 , 


o , 


0 , 


0 , 


o , 


1 , 
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6 , 


1 , 


I 


] 


ready 6 
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20 
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I 


] 


moredl 


21 


21 


[ 


2 , 


0 , 
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- E , 


6 , 


1 , 


I 


] 


xmitl 


22 


22 


[ 


3 , 
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0 , 


0 , 
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- D , 
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1 , 


I 


] 


rcv7 


23 


23 


[ 


3 , 


0 , 
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1 , 
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I 


] 


ready 7 
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I 


] 
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2 , 


1 , 


E 
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get_tk2 


30 
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Number of states generated :263 
Number of states analyzed :263 
Number of deadlocks : 0 
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